[419] in Kerberos
using Kerberos with AFS, some comments
daemon@TELECOM.MIT.EDU (Mike Kazar)
Fri Jul 1 14:38:31 1988
From: Mike Kazar <kazar+@ANDREW.CMU.EDU>
To: kerberos@ATHENA.MIT.EDU
I've been looking at making the Andrew file system authentication system
"compatible" with the Kerberos authentication system. The most fundamental
level of compatibility we can aim for is compatibility at the ticket level: our
file system has to understand Kerberos-generated tickets, otherwise no other
level of compatibility even makes sense.
The only problem we have in using Kerberos-format tickets in our system is that
the lifetime field simply does not allow us to represent long expiration times.
We have been running the Andrew file system using tickets (of our own design)
that expire in 25 hours, and have been repeatedly criticized by our users on
the grounds that this value is too small. We've promised to address that
problem in our "next" system, which we hope to make Kerberos-based.
I believe that it is reasonable, in certain restricted applications, for ticket
lifetimes to be as long as two weeks, rather than the 21+ hours in the present
format. Note that we're *not* arguing for the default ticket timeout value to
be weeks, simply that for certain applications, long values make sense.
I would therefore suggest/request/whatever that the Kerberos ticket lifetime
field be increased from its current 8 bits (of 5 minute resolution) to 16 bits
(of unsigned 5 minute resolution), increasing the maximum ticket lifetime
representable to about 227 days.
I'll send more comments after the July 4 weekend, but I believe this to be our
only make-or-break problem.
Mike Kazar
(kazar+@andrew.cmu.edu)
