Leverage Kerberos/Wallet for non-interactive SSH and script execution

Ken Dreyer ktdreyer at ktdreyer.com
Wed May 22 15:37:56 EDT 2013


On Wed, May 22, 2013 at 1:20 PM, Russ Allbery <rra at stanford.edu> wrote:
> Then, use wallet to create that keytab on the build server, and then have
> your Jenkins server end its tasks by running:
>
>     k5start -qUf /path/to/keytab/file -- /path/to/upload/script

I recently set up something just like this to do Jenkins deploys out
of an SCM into AFS (instead of SSH or SCP). k5start works like a charm
and I'd highly recommend it.

Also, I'd second Russ's point about separate keytabs per build
"server". Out of the box, Jenkins doesn't do privilege separation well
at all. I worked around this by using separate Jenkins shell accounts
on the build servers, one account per project, with separate keytabs
for each shell account/project. They are all prefixed by "jenkins/",
so the keytab that can deploy to an Apache virtualhost in AFS is named
"jenkins/vhost.example.com". It's a pain to manage all these extra
pieces at scale, although Puppet helps a bit.

- Ken


More information about the Kerberos mailing list