[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PK-Init and proxy certs question

Andreas Haupt wrote:
> Hi,
> I have a question (or maybe it is a bug) regarding the tgt generation
> out of globus proxy certificates. That's what I did:
> [brutus-vm10] ~ % date
> Tue Sep 25 15:23:45 CEST 2007
> [brutus-vm10] ~ % grid-proxy-init -rfc
> Your identity: /O=GermanGrid/OU=DESY/CN=Andreas Haupt
> Enter GRID pass phrase for this identity:
> Creating proxy ....................................... Done
> Your proxy is valid until: Wed Sep 26 03:23:50 2007
> [brutus-vm10] ~ % grid-proxy-info     
> subject  : /O=GermanGrid/OU=DESY/CN=Andreas Haupt/CN=1396311403
> issuer   : /O=GermanGrid/OU=DESY/CN=Andreas Haupt
> identity : /O=GermanGrid/OU=DESY/CN=Andreas Haupt
> type     : RFC 3820 compliant impersonation proxy
> strength : 512 bits
> path     : /tmp/x509up_p31139.fileiLYtv0.1
> timeleft : 11:59:55
> [brutus-vm10] ~ % kinit -C FILE:/tmp/x509up_p31139.fileiLYtv0.1 ahaupt@IFH.DE
> [brutus-vm10] ~ % klist
> Credentials cache: FILE:/tmp/krb5cc_9132_rd3v5E
>         Principal: ahaupt@IFH.DE
>   Issued           Expires          Principal
> Sep 25 15:24:00  Sep 26 16:23:59  krbtgt/IFH.DE@IFH.DE
> Sep 25 15:24:01  Sep 26 16:23:59  afs@IFH.DE
> What you can see is that the TGT is valid for a longer time (actually
> the default ticket lifetime) than the original proxy certificate. Is it
> a misconfiguration? Or a bug?

It might be neither. The kinit command does have a lifetime parameter,
and this would be the "kerberos" way to set the lifetime. But certificates
also have a lifetime, and RFC3820 talks a lot about setting short lifetimes
of proxies.

Proxies are limited to the lifetime of the "proxy Issuer".  The KDC limits
delegated tickets and service tickets to the life time of the TGT.  Using
a proxy to get a TGT is just another form of delegation.

But this is the same question one could ask about setting up an ssh
session. Should the session end when the lifetime of the ticket or
cert used to create it is reached? (It does not today with Kerberos.)

What about the lifetime if the AFS token, should it be limited too?
Some would say no as they want to use it for long running jobs.

I would say this should be a configure option, and the lifetime from
the proxy should be used just as the lifetime of a TGT used when getting
another ticket. But some special services like AFS tokens could
have a lifetime that exceeds the proxy or ticket lifetime.

> BTW: I've written a PAM module that generates a K5 TGT out of a
> delegated globus proxy (e.g. by gsissh) at login. With the help of
> pam_krb5afs you can even obtain AFS an token. It is called
> pam_gridpxy2krb5 and can be downloaded from here:


> http://www-zeuthen.desy.de/~ahaupt/downloads/pam_gridpxy2krb5-0.1.tar.gz
> Please feel free to use or modify it.
> Cheers,
> Andreas


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444