Thoughts on long-lived credentials
Russ Allbery
rra at stanford.edu
Sun Jan 22 04:38:42 EST 2006
Luke Howard <lukeh at padl.com> writes:
> What are the current thoughts on automatically renewing Kerberos
> credentials for long-lived sessions, particularly with respect to NFSv4
> (where the user experience could be adversely affected)?
> It seems that Solaris has kwarnd, which can both warn users of impending
> ticket expiry as well as renewing tickets. Are there any plans to do
> something similar for Linux? (I know about KCM, but we need a solution
> that works with MIT, and preferably one that will work with any ccache
> type.)
While people are figuring out nice apps to do this with GUIs and whatnot
or cool system-wide automated daemons, I needed something like this but
fairly simple to replace a local AFS token renewer that's going to die
when we move to K5 AFS. I've therefore just finished writing a simple
program that will renew an existing ticket cache for as long as it can
and/or until a particular command finishes.
The program is krenew and is part of the kstart distribution as of the 3.0
release, which I just (as in ten minutes ago) put up on my web site. You
can get it from <http://www.eyrie.org/~eagle/software/kstart/>. It's been
moderately tested, but it may not be 100% yet. Please send me any
problems you run into.
It doesn't solve the more general problem of prompting the user for their
credentials again, or automatically manage multiple ticket caches, but
people may find it useful for the scenario we're going to use it for
(maintaining Kerberos tickets and AFS tokens for long-running jobs).
There are no AFS dependencies unless you want them.
BTW, it's mostly tested under MIT Kerberos but it *should* work under
Heimdal as well. Heimdal alas doesn't have krb5_get_renewed_creds and has
a much different interface, but I think I figured it out after staring at
the Heimdal kinit source for a while. Still, any corrections or further
testing from Heimdal users is much appreciated.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list