Leverage Kerberos/Wallet for non-interactive SSH and script execution
Andreas Ntaflos
daff at pseudoterminal.org
Wed May 22 15:00:28 EDT 2013
Hi,
I'd like to leverage our Kerberos (and Wallet) infrastructure to enable
non-interactive SSH/SCP between two servers for a given user. Is this
possible? Using MIT Kerberos 1.10 on Ubuntu 12.04 everywhere, currently
still with Wallet from prior to 1.0 (but after 0.12).
The scenario is this: We have a Jenkins build server (build01) and an
APT repo server (apt01, using Freight [1]). Jenkins does what it does
and in the end creates DEB packages. Those DEB packages should land on
the APT repo server and the APT repo should be updated with the new
packages. This works as expected using SSH public key authentication.
On the shell it looks like this:
jenkins at build01:~$ scp *.deb jenkins at apt01:/path/to/packages
jenkins at build01:~$ ssh jenkins at apt01 "/usr/local/bin/update-apt-repo"
After that the APT repo server has the new packages, signed and ready
for installation.
I have implemented a Wallet infrastructure according to Jan-Piet Mens's
excellent article [2] and distributed Keytabs for all servers (using
Puppet). I can interactively and without passwords log into any of those
servers after doing a "kinit" as my user.
So what can I do to avoid SSH public key authentication and instead use
Kerberos and possibly Wallet to implement the described scenario?
Thanks,
Andreas
[1] https://github.com/rcrowley/freight
[2]
http://jpmens.net/2012/06/25/streamlining-distribution-of-kerberos-keytabs-and-other-secure-data/
More information about the Kerberos
mailing list