• keberos Ticket的更新时间考虑


    这里有答案

    Can the lifetime be longer than the renewal time?

    Technically, yes. Logically, the ticket lifetime should not be longer than ticket renewal time. Let’s say the lifetime is 8 days and the renewal time is 7 days. The ticket will be invalid after 7 days no matter what the lifetime value is. Renewal time is the maximum cumulative time a ticket can be extended for.

    更新Ticket的时候用户Hash来自哪里?

    答案:

    交互式登陆的用户密码Hash:

    The LSA also keeps a copy of an interactive user's hashed password. If the user's TGT expires during a logon session, the Kerberos SSP uses the LSA's copy of the hashed password to obtain a new TGT without interrupting the user's logon session. The password is not stored permanently on the computer, and the local copy of the hashed password is destroyed when the user's logon session is destroyed.

    服务和电脑HASH

    Hashed passwords for services and computers are handled differently than above. As in Windows NT, hashed passwords are stored in a secure area of the computer's registry. The registry is also used to store hashed passwords for user accounts on the local system, but local accounts are used only for access to computers in standalone mode, never for network access.

    缺省值

    • Maximum lifetime for user ticket: 10 hours
    • Maximum lifetime for user ticket renewal: 7 days

    Please note that “ticket renewal” value equals to “maximum cumulative ticket life”. It means that a ticket can be refreshed (a new session key is assigned) every 10 hours for 7 days. If it has been 7 days or more since the ticket was created, a new ticket has to be created even if the ticket is renewable. This is because the maximum cumulative ticket life is reached.

    Any side effects if the lifetime is the same as renewal time?

    It’s acceptable. However, it is better if the renewal time is longer than the lifetime. If they are the same:

    • If the value is small such as 1 day, it means the client should reauthenticate every day which makes the process inefficient
    • If the value is high such as 3-4 days, it means the client will stay authenticated for 3-4 days. There are security concerns around high ticket lifetimes:
      • If an account is disabled (let’s say the person leaves the company), the account can continue to use the application until the ticket is expired
      • If the ticket is compromised, the attacker will be able to penetrate the system until the ticket is expired
  • 相关阅读:
    SSM之Mybatis整合及使用
    软件设计师08-法律法规与标准化知识
    Spring MVC体系结构
    Spring MVC异常友好展示
    Spring MVC Web.xml配置
    编译型语言解释型语言
    软件设计师07-程序设计语言与语言处理程序基础
    flex布局注意点:
    常见的PC端和移动端表单组件
    js文件的装载和执行
  • 原文地址:https://www.cnblogs.com/jjkv3/p/15698529.html
Copyright © 2020-2023  润新知