Define ticket lifetime and renewable time when using MIT Kerberos.
Inspect initial configuration
Inspect initial Kerberos KDC configuration.
$ sudo cat /etc/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 750,88 [realms] OCTOCAT.LAB = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 #supported_enctypes = aes256-cts:normal aes128-cts:normal default_principal_flags = +preauth }
This configuration defines that maximum ticket lifetime is 10 hours and it can be renewed up to 7 days.
Inspect Kerberos configuration.
$ cat /etc/krb5.conf
[libdefaults] default_realm = OCTOCAT.LAB default_ccache_name = KEYRING:persistent:%{uid} forwardable = true [realms] OCTOCAT.LAB = { kdc = kerberos.octocat.lab admin_server = kerberos.octocat.lab default_domain = octocat.lab } [domain_realm] octocat.lab = OCTOCAT.LAB .octocat.lab = OCTOCAT.LAB
It does not define default values for ticket lifetime and renew time.
By default ticket lifetime will be 10 hours and it could be renewed up to one day.
$ kinit
Password for milosz@OCTOCAT.LAB: ************
$ klist
Ticket cache: KEYRING:persistent:1000:1000 Default principal: milosz@OCTOCAT.LAB Valid starting Expires Service principal 11/12/21 01:48:18 11/12/21 11:48:18 krbtgt/OCTOCAT.LAB@OCTOCAT.LAB renew until 11/13/21 01:48:16
$ kdestroy
Update configuration
I will update configuration to set ticket lifetime to 1 day and maximum renew time to 7 days.
At first you need to increase maximum ticket lifetime in KDC configuration.
$ sudo cat /etc/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 750,88 [realms] OCTOCAT.LAB = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 1d 0h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 #supported_enctypes = aes256-cts:normal aes128-cts:normal default_principal_flags = +preauth }
Restart KDC server to apply new configuration.
$ sudo systemctl restart krb5-kdc.service
Update Kerberos configuration to set default values.
$ cat /etc/krb5.conf
[libdefaults] default_realm = OCTOCAT.LAB default_ccache_name = KEYRING:persistent:%{uid} ticket_lifetime = 1d renew_lifetime = 7d [realms] OCTOCAT.LAB = { kdc = kerberos.octocat.lab admin_server = kerberos.octocat.lab default_domain = octocat.lab } [domain_realm] octocat.lab = OCTOCAT.LAB .octocat.lab = OCTOCAT.LAB
Execute Kerberos database administration utility
$ sudo kadmin -p root/admin Authenticating as principal root/admin with password. Password for root/admin@OCTOCAT.LAB: ************
Inspect principal settings, inspect maximum ticket life and maximum renewable life values.
kadmin: get_principal milosz Principal: milosz@OCTOCAT.LAB Expiration date: [never] Last password change: Tue Nov 09 01:55:53 CET 2021 Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Nov 09 01:55:53 CET 2021 (root/admin@OCTOCAT.LAB) Last successful authentication: Fri Nov 12 01:42:44 CET 2021 Last failed authentication: Fri Nov 12 01:42:40 CET 2021 Failed password attempts: 0 Number of keys: 2 Key: vno 3, aes256-cts-hmac-sha1-96 Key: vno 3, aes128-cts-hmac-sha1-96 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none]
Update these values for each user principal.
kadmin: modify_principal -maxlife 1d -maxrenewlife 7d milosz Principal "milosz@OCTOCAT.LAB" modified.
You will be limited by Kerberos ticket-granting ticket as you also cannot exceed its maximum values.
kadmin: get_principal krbtgt/OCTOCAT.LAB@OCTOCAT.LAB Principal: krbtgt/OCTOCAT.LAB@OCTOCAT.LAB Expiration date: [never] Last password change: [never] Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Sun Nov 07 01:50:56 CET 2021 (db_creation@OCTOCAT.LAB) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 Key: vno 1, aes256-cts-hmac-sha1-96 Key: vno 1, aes128-cts-hmac-sha1-96 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH LOCKDOWN_KEYS Policy: [none]
Update krbtgt/OCTOCAT.LAB@OCTOCAT.LAB principal.
kadmin: modify_principal -maxlife 1d -maxrenewlife 7d krbtgt/OCTOCAT.LAB@OCTOCAT.LAB Principal "krbtgt/OCTOCAT.LAB@OCTOCAT.LAB" modified.
Now, try obtain and cache Kerberos ticket-granting ticket.
$ kinit
Password for milosz@OCTOCAT.LAB: ************
$ klist
Ticket cache: KEYRING:persistent:1000:1000 Default principal: milosz@OCTOCAT.LAB Valid starting Expires Service principal 11/12/21 02:53:08 11/13/21 02:53:07 krbtgt/OCTOCAT.LAB@OCTOCAT.LAB renew until 11/19/21 02:53:07
$ kdestroy