Leverage Kerberos/Wallet for non-interactive SSH and script execution
Andreas Ntaflos
daff at pseudoterminal.org
Fri May 24 19:12:13 EDT 2013
On 2013-05-22 21:37, Ken Dreyer wrote:
> On Wed, May 22, 2013 at 1:20 PM, Russ Allbery <rra at stanford.edu> wrote:
>> Then, use wallet to create that keytab on the build server, and then have
>> your Jenkins server end its tasks by running:
>>
>> k5start -qUf /path/to/keytab/file -- /path/to/upload/script
>
> I recently set up something just like this to do Jenkins deploys out
> of an SCM into AFS (instead of SSH or SCP). k5start works like a charm
> and I'd highly recommend it.
>
> Also, I'd second Russ's point about separate keytabs per build
> "server". Out of the box, Jenkins doesn't do privilege separation well
> at all. I worked around this by using separate Jenkins shell accounts
> on the build servers, one account per project, with separate keytabs
> for each shell account/project. They are all prefixed by "jenkins/",
> so the keytab that can deploy to an Apache virtualhost in AFS is named
> "jenkins/vhost.example.com". It's a pain to manage all these extra
> pieces at scale, although Puppet helps a bit.
Ken, thank you, too, for your input! k5start indeed works great. Our
build server infrastructure is not as complex as yours seems to be but
I've taken your approach and have given each jenkins system account on
each of our four build servers its own keytab and set up k5login on the
APT repo server (with Puppet modules and types for Wallet and k5login
this is easy enough). On the APT repo server the jenkins user can call a
single script via sudo to deploy new .deb packages. This works exactly
as I had hoped it would.
Thanks again,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20130525/141253bd/attachment.bin
More information about the Kerberos
mailing list