Leverage Kerberos/Wallet for non-interactive SSH and script execution

Andreas Ntaflos daff at pseudoterminal.org
Fri May 24 19:05:01 EDT 2013


On 2013-05-22 21:20, Russ Allbery wrote:
> Andreas Ntaflos <daff at pseudoterminal.org> writes:
> 
>> The scenario is this: We have a Jenkins build server (build01) and an
>> APT repo server (apt01, using Freight [1]). Jenkins does what it does
>> and in the end creates DEB packages. Those DEB packages should land on
>> the APT repo server and the APT repo should be updated with the new
>> packages. This works as expected using SSH public key authentication.
> 
>> On the shell it looks like this:
> 
>> jenkins at build01:~$ scp *.deb jenkins at apt01:/path/to/packages
>> jenkins at build01:~$ ssh jenkins at apt01 "/usr/local/bin/update-apt-repo"
> 
>> After that the APT repo server has the new packages, signed and ready 
>> for installation.
> 
> What we do for a similar case is that we put the two commands in a script,
> and then create a keytab on the build server that will be used for
> authentication to upload the commands.  You can just use the
> host/build01.example.com host key, but we usually create a special
> principal for the Jenkins build service (we'd call it service/jenkins), or
> if you want each build server to have a unique keytab (not a bad idea),
> create a keytab like jenkins/build01.example.com.
> 
> Then, use wallet to create that keytab on the build server, and then have
> your Jenkins server end its tasks by running:
> 
>     k5start -qUf /path/to/keytab/file -- /path/to/upload/script
> 
> This will run the script with a Kerberos ticket cache.  ssh will then be
> able to use GSS-API authentication using that Kerberos ticket cache, and
> once you add a .k5login file in the home directory of the jenkins user on
> apt01 containing the principal you use on the build server, everything
> should just work with Kerberos and no ssh public keys.

Russ, thanks very much for this idea, I implemented it almost exactly
like that and it works flawlessly. It also helps to have Puppet modules
and types for Wallet and k5login.

I'll be using this approach for a few other aspects in our
infrastructure as well.

Thanks again,

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20130525/b18fc7bc/attachment.bin


More information about the Kerberos mailing list