zoukankan      html  css  js  c++  java
  • keberos Ticket的更新时间考虑

    这里有答案

    Can the lifetime be longer than the renewal time?

    Technically, yes. Logically, the ticket lifetime should not be longer than ticket renewal time. Let’s say the lifetime is 8 days and the renewal time is 7 days. The ticket will be invalid after 7 days no matter what the lifetime value is. Renewal time is the maximum cumulative time a ticket can be extended for.

    更新Ticket的时候用户Hash来自哪里?

    答案:

    交互式登陆的用户密码Hash:

    The LSA also keeps a copy of an interactive user's hashed password. If the user's TGT expires during a logon session, the Kerberos SSP uses the LSA's copy of the hashed password to obtain a new TGT without interrupting the user's logon session. The password is not stored permanently on the computer, and the local copy of the hashed password is destroyed when the user's logon session is destroyed.

    服务和电脑HASH

    Hashed passwords for services and computers are handled differently than above. As in Windows NT, hashed passwords are stored in a secure area of the computer's registry. The registry is also used to store hashed passwords for user accounts on the local system, but local accounts are used only for access to computers in standalone mode, never for network access.

    缺省值

    • Maximum lifetime for user ticket: 10 hours
    • Maximum lifetime for user ticket renewal: 7 days

    Please note that “ticket renewal” value equals to “maximum cumulative ticket life”. It means that a ticket can be refreshed (a new session key is assigned) every 10 hours for 7 days. If it has been 7 days or more since the ticket was created, a new ticket has to be created even if the ticket is renewable. This is because the maximum cumulative ticket life is reached.

    Any side effects if the lifetime is the same as renewal time?

    It’s acceptable. However, it is better if the renewal time is longer than the lifetime. If they are the same:

    • If the value is small such as 1 day, it means the client should reauthenticate every day which makes the process inefficient
    • If the value is high such as 3-4 days, it means the client will stay authenticated for 3-4 days. There are security concerns around high ticket lifetimes:
      • If an account is disabled (let’s say the person leaves the company), the account can continue to use the application until the ticket is expired
      • If the ticket is compromised, the attacker will be able to penetrate the system until the ticket is expired
  • 相关阅读:
    Web 性能优化
    js 校验身份证
    html5 输入框响应enter按键
    获取浏览器的可视窗口宽高
    js打开新标签
    Java数据脱敏框架
    Spring Boot中的事务管理
    运维监控知识体系
    git常用命令图解 & 常见错误
    安全团队不可错过的七个云安全开源工具(转载)
  • 原文地址:https://www.cnblogs.com/jjkv3/p/15698529.html
Copyright © 2011-2022 走看看