Reputation: 31
Kerberos auto update for "renew until"
Given with keywords like Kerberos "renew until" auto, doesn't find threads that can solve my problem, so posting here.
I create a keytab which contains following ticket lifetime info
Valid starting: 09/14/2018 13:05:01
Expires: 09/15/2018 13:05:01
renew until: 09/19/2018 09:26:37
Based on Hadoop kerberos ticket auto renew
I am able to renew ticket extending Expires date without a problem.
Now another problem is renew until is set to expire after 7 days.
My question:
Which command similar to
kinit -Rcan auto extend renew until date so that I don't need to reissuekinit -kt mine.keytab my-principalfor getting a new ticket for my keytab?Or any API that can achieve the same effect? With following Hadoop APIs, based on https://www.cloudera.com/documentation/enterprise/5-14-x/topics/sg_kerberos_troubleshoot.html, I can execute the code but I don't find renew until gets updated.
UserGroupInformation.loginUserFromKeytab(principal, keyPath) val currentUser = UserGroupInformation.getCurrentUser() currentUser.checkTGTAndReloginFromKeytab val currentUser1 = UserGroupInformation.getLoginUser currentUser1.checkTGTAndReloginFromKeytab`klistshows that the date in the renew until section remains the same.
Edit: formatting
Upvotes: 3
Views: 7091
Answers (1)
Reputation: 14891
Renewable TGTs
When tickets are renewable, session keys are refreshed periodically without issuing a completely new ticket. If Kerberos policy permits renewable tickets, the KDC sets a RENEWABLE flag in every ticket it issues and sets two expiration times in the ticket. One expiration time limits the life of the current instance of the ticket; the second expiration time sets a limit on the cumulative lifetime of all instances of the ticket.
The expiration time for the current instance of the ticket is held in the End Time field. As with non-renewable tickets, the value in the End Time field equals the value in the Start Time field plus the value of the maximum ticket life specified by Kerberos policy. A client holding a renewable ticket must send it—presenting a fresh authenticator as well—to the KDC for renewal before the end time is reached. When the KDC receives a ticket for renewal, it checks the value of a second expiration time held in the Renew Till field. This value is set when the ticket is first issued. It equals the value in the tickets Start Time field plus the value of the maximum cumulative ticket life specified by Kerberos policy. When the KDC renews the ticket, it checks to determine if the renew-till time has not yet arrived. If it has not, the KDC issues a new instance of the ticket with a later end time and a new session key.
This means that administrators can set Kerberos policy so that tickets must be renewed at relatively short intervals—every day, for example. When tickets are renewed, a new session key is issued, minimizing the value of a compromised key. Administrators can also set cumulative ticket life for a relatively long period—one week or one month, for example. At the end of that time, the ticket expires and is no longer valid forrenewal.
So renew - until is part of the ticket, and it's max.value is limited on server side for security reasons. There is no workaround for that by design.
Upvotes: 2
Related Questions
- Retrieve password from kerberos keytab file
- Permanent Kerberos tickets for interactive users of Hadoop cluster
- Auto renewal of Kerberos ticket not working from Java
- How to renew Kerberos ticket on spark yarn client mode?
- Hadoop kerberos ticket auto renew
- How to renew expiring Kerberos ticket in HBase?
- Kerberos Upgrade
- How do you set the Kerberos ticket lifetime from Java?
- Kerberos Java Credentials Cache
- Java Kerberos ticket renew TGT