Leverage Kerberos/Wallet for non-interactive SSH and script execution

Andreas Ntaflos daff at pseudoterminal.org
Wed May 22 15:00:28 EDT 2013


I'd like to leverage our Kerberos (and Wallet) infrastructure to enable 
non-interactive SSH/SCP between two servers for a given user. Is this 
possible? Using MIT Kerberos 1.10 on Ubuntu 12.04 everywhere, currently 
still with Wallet from prior to 1.0 (but after 0.12).

The scenario is this: We have a Jenkins build server (build01) and an 
APT repo server (apt01, using Freight [1]). Jenkins does what it does 
and in the end creates DEB packages. Those DEB packages should land on 
the APT repo server and the APT repo should be updated with the new 
packages. This works as expected using SSH public key authentication.

On the shell it looks like this:

jenkins at build01:~$ scp *.deb jenkins at apt01:/path/to/packages
jenkins at build01:~$ ssh jenkins at apt01 "/usr/local/bin/update-apt-repo"

After that the APT repo server has the new packages, signed and ready 
for installation.

I have implemented a Wallet infrastructure according to Jan-Piet Mens's 
excellent article [2] and distributed Keytabs for all servers (using 
Puppet). I can interactively and without passwords log into any of those 
servers after doing a "kinit" as my user.

So what can I do to avoid SSH public key authentication and instead use 
Kerberos and possibly Wallet to implement the described scenario?



[1] https://github.com/rcrowley/freight

More information about the Kerberos mailing list