kstart 4.0 released
Russ Allbery
rra at stanford.edu
Fri Dec 30 00:17:28 EST 2011
I'm pleased to announce release 4.0 of kstart.
k5start and krenew are modified versions of kinit which add support for
running as a daemon to maintain a ticket cache, running a command with
credentials from a keytab and maintaining a ticket cache until that
command completes, obtaining AFS tokens (via an external aklog) after
obtaining tickets, and creating an AFS PAG for a command. They are
primarily useful in conjunction with long-running jobs; for moving ticket
handling code out of servers, cron jobs, or daemons; and to obtain tickets
and AFS tokens with a single command.
Changes from previous release:
Remove k4start from the distribution. I no longer have a Kerberos v4
environment with which to test and therefore no way to refactor and
restructure the code for other changes to the package. Users who
still need k4start should use an older version of the package.
Ticket caches passed to k5start or krenew with the -k option are now
used as-is without prepending "FILE:". This allows both programs to
be used with non-file caches (unles the -o, -g, or -m options were
given to k5start, of course). However, users who were relying on
k5start or krenew prepending "FILE:" may now need to add this
explicitly to the -k argument if they want the ticket cache to be set
in the environment with that prefix.
Always canonicalize the ticket cache name in k5start before
propagating KRB5CCNAME to child processes. This combined with the
previous change allows -k to specify a ticket cache name that changes
once the cache is created, such as when creating new PIPE caches.
krenew now defaults to staying running if renewing credentials fails.
The new -x option restores the previous behavior of exiting on any
error. It will still exit by default (unless -i is used) if the
renewable lifetime has expired or if the ticket cache has been
removed.
k5start no longer exits on failure to obtain credentials when running
as a daemon. The new -x option restores the previous behavior of
exiting on any error. It does still exit if the first attempt to
obtain credentials during startup (before backgrounding) fails, to
make it easier to diagnose configuration errors.
k5start, when run with the -o, -g, or -m options to change ticket
cache ownership or permissions, now writes a temporary ticket cache in
the same directory, sets its ownership and permissions, and then
replaces the existing cache with an atomic rename. It also sets
permissions properly if it has to reauthenticate after backgrounding
itself. This closes two windows where the cache may not be accessible
to the program using it if k5start were in the middle of refreshing
it. Thanks to Harry Coin for the report.
k5start and krenew now propagate SIGINT (Ctrl-C) to the child process
when running a command rather than exiting immediately.
Set signal handlers with sigaction instead of signal, which may fix
problems propagating multiple signals to child processes in k5start
and krenew.
Diagnose the nonsensical combination of -U and -u or -i options in
k5start and report an error rather than ignoring -u and appending the
instance from -i onto the principal obtained via -U. Also diagnose
the non-sensical combination of -H and a command to run in both
k5start and krenew; just omit the -H flag for this case.
Update the included kafs library to the version from rra-c-util 4.0,
adding support for Mac OS X and Solaris 11.
Change references to Kerberos v5 to just Kerberos in the
documentation. Kerberos v5 has been the default version of Kerberos
for over ten years now.
Update to rra-c-util 4.0:
* Build on systems where krb5/krb5.h exists but krb5.h does not.
* Build with OpenBSD Heimdal where there is no separate roken library.
* Kerberos probes no longer assume transitive library dependencies.
* Fix removal of /usr/include from Kerberos CPPFLAGS.
* Add notices to all files copied from rra-c-util.
* Fix replacement of krb5_free_error_message.
* Support older Heimdal with no-context krb5_get_init_creds_opt_free.
* Improve probe for krb5_kt_free_entry.
* Fix use of long long, where available, in replacement mkstemp.
* Include strings.h where present for more POSIX string functions.
* Use typedef for a missing sig_atomic_t.
* Avoid passing a NULL context to krb5_get_error_message.
* Fix integer data types in the messages utility library.
* Use configure-detected aklog path in the test suite.
* Add replacement for a missing strndup (such as on Mac OS X).
* Add tests for messages-krb5 utility functions.
* Update compiler warning flags for make warnings to gcc 4.6.1.
Update to C TAP Harness 1.9:
* Add a usage message and -h option to runtests.
* Honor -s and SOURCE in runtests even if BUILD is not set.
* Improve test summary at the end of a C test case.
* Flush stderr before printing TAP output.
* Improve portability of output functions in the shell libtap.sh.
* Add notices to all files copied from C TAP Harness.
You can download it from:
<http://www.eyrie.org/~eagle/software/kstart/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list