kstart 4.1 released

Russ Allbery rra at stanford.edu
Sat Jan 7 23:29:06 EST 2012

I'm pleased to announce release 4.1 of kstart.

k5start and krenew are modified versions of kinit which add support for
running as a daemon to maintain a ticket cache, running a command with
credentials from a keytab and maintaining a ticket cache until that
command completes, obtaining AFS tokens (via an external aklog) after
obtaining tickets, and creating an AFS PAG for a command.  They are
primarily useful in conjunction with long-running jobs; for moving ticket
handling code out of servers, cron jobs, or daemons; and to obtain tickets
and AFS tokens with a single command.

Changes from previous release:

    Fix a regression introduced in kstart 4.0 that caused k5start -H and
    krenew -H to fail and attempt reauthentication with non-renewable
    tickets even if the lifetime was long enough.  Thanks to pod for the

    Fix a regression introduced in kstart 4.0 where k5start -H would be
    happy with an unexpired ticket for a different principal than the
    desired client principal.

    When k5start or krenew are running as a daemon and obtaining new
    tickets fails, both now shorten the wake-up interval to one minute and
    keep trying at that interval until the error resolves itself, and then
    go back to the normal wakeup interval.

    Add a new -s option to krenew that, if given, tells krenew to send
    SIGHUP to the command it's running when it exits because it can't
    renew the ticket.  This is useful when continuing to run the command
    without a valid ticket would be pointless.

    After a SIGHUP or SIGTERM when not running a command, k5start and
    krenew now clean up their PID files, if any, before exiting.

You can download it from:


This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list