The max renewable lifetime for the default
user in our realm is set to a week.
Let's make it a year:
Allowing year-long renewable tickets on the server
kadmin> get default@MY.REALM
Principal: default@MY.REALM
<snip>
Max ticket life: 1 day
Max renewable life: 1 week
<snip>
Aliases:
kadmin> modify default@MY.REALM
Max ticket life [1 day]:
Max renewable life [1 week]:1year
<snip>
kadmin> get default@RUG.NL
Principal: default@MY.REALM
<snip>
Max ticket life: 1 day
Max renewable life: 1 year
<snip>
kadmin>
Note | |
---|---|
Note that this affects only new principals, and that it should be done for all principals. |
Asking for year-long renewable tickets on the client
In /etc/krb5.conf
on the client, put:
<snip> [appdefaults] forwardable = true pam = { minimum_uid = 1000000 renew_lifetime=365d MY.REALM = { ignore_k5login = true debug = true } } <snip>
Test login
admin@bosshost:~$ ssh user@host
<snip>
user@host:~$ klist -v
<snip>
Auth time: Mar 17 11:36:51 2011
End time: Mar 17 21:36:51 2011
Renew till: Mar 16 11:36:51 2012
<snip>