[auton-users] kauthd trouble and near-perpetual kerberos tickets
Dan Pelleg
dpelleg+ at cs.cmu.edu
Wed Sep 17 21:29:07 EDT 2003
I have been circulating this little tip for a few months now, but I don't
believe I ever sent it to the list. It should help with getting kerberos
tickets in ways other than logging in to the console of a facilitized
machine.
If you're using kauthd, you should know that it is being phased out (more
correctly the infrastructure that it's supposed to keep humming is being
phased out). What follows are instructions on how to replace it.
If you don't know what kauthd is, then you either never need to obtain
kerberos tickets, or you do and don't mind typing your kerberos password
over and over again. If you're in either category you can stop reading now.
What follows will maintain long-living tickets. This means you can ssh into
a SCS facilitized host remotely using one of the password-free methods
offered by SSH, and still have tickets.
[ Note: the topic of password-less ssh-ing was covered in a previous post
to this list, and can be found here: http://www.autonlab.org/tips.html .
You will need your mailing-list password (and the server will mail it to
you on request) ]
There are 3 steps. Once you perform them, you will not need to type your
kerberos password more often than once a month. When you do, you will get
an email reminding you to do so, and it will contain the command you'll
need to type.
1. Depending on whether you're a tcsh or bash user, add the following to
your startup file. If you don't know then you are probably using tcsh
(default for SCS).
------------------------------ tcsh users: add to .login
if ( -e /usr/local/bin/aklog) then
# Only use one ticket file for everything: (Kerberos v4)
setenv KRBTKFILE /tkt/$LOGNAME-ticket
# Only use one ticket file for everything: (Kerberos v5)
setenv KRB5CCNAME /tkt/$LOGNAME-ticket-v5
# Load that ticket into AFS:
/usr/local/bin/aklog
endif
------------------------------ tcsh users
------------------------------ bash users: add to .bashrc
if [ -e /usr/local/bin/aklog ]; then
# Only use one ticket file for everything:
# krb4
export setenv KRBTKFILE; KRBTKFILE=/tkt/$LOGNAME-ticket
# krb5
export KRB5CCNAME; KRB5CCNAME=/tkt/$LOGNAME-ticket-v5
# Load that ticket into AFS:
/usr/local/bin/aklog
fi
------------------------------ bash users
2. Log out and back in. (ok, this is really more than one step. But the
goal is to have the definitions above take place).
Now type:
kinit --renewable
And then your kerberos password.
3. The following script needs to run every few hours:
- Cut it, save it to a file "script/krenew" under your home directory.
- Make it executable ("chmod +x script/krenew")
- type "crontab -e" and add the following line (a vi editor will open
unless you have EDITOR defined to something else):
--------------------line to add to crontab
49 5,17 * * * script/krenew
--------------------
------------------------------ file to save as script/krenew
#! /bin/sh
# Only use one ticket file for everything:
# krb4
export KRBTKFILE; KRBTKFILE=/tkt/$LOGNAME-ticket
# krb5
export KRB5CCNAME; KRB5CCNAME=/tkt/$LOGNAME-ticket-v5
# Get a renewable ticket
/usr/local/bin/kinit --renew || (echo "do a kinit --renewable" ; exit )
/usr/local/bin/aklog || exit
------------------------------
****************************************
For some more information on this matter, and a link to a small GUI program
that can also help with this issue, see:
http://zarchive.srv.cs.cmu.edu/prog/zquery?zid=2922325
More information about the Autonlab-users
mailing list