Leverage Kerberos/Wallet for non-interactive SSH and script execution

Andreas Ntaflos daff at pseudoterminal.org
Fri May 24 19:12:13 EDT 2013

On 2013-05-22 21:37, Ken Dreyer wrote:
> On Wed, May 22, 2013 at 1:20 PM, Russ Allbery <rra at stanford.edu> wrote:
>> Then, use wallet to create that keytab on the build server, and then have
>> your Jenkins server end its tasks by running:
>>     k5start -qUf /path/to/keytab/file -- /path/to/upload/script
> I recently set up something just like this to do Jenkins deploys out
> of an SCM into AFS (instead of SSH or SCP). k5start works like a charm
> and I'd highly recommend it.
> Also, I'd second Russ's point about separate keytabs per build
> "server". Out of the box, Jenkins doesn't do privilege separation well
> at all. I worked around this by using separate Jenkins shell accounts
> on the build servers, one account per project, with separate keytabs
> for each shell account/project. They are all prefixed by "jenkins/",
> so the keytab that can deploy to an Apache virtualhost in AFS is named
> "jenkins/vhost.example.com". It's a pain to manage all these extra
> pieces at scale, although Puppet helps a bit.

Ken, thank you, too, for your input! k5start indeed works great. Our
build server infrastructure is not as complex as yours seems to be but
I've taken your approach and have given each jenkins system account on
each of our four build servers its own keytab and set up k5login on the
APT repo server (with Puppet modules and types for Wallet and k5login
this is easy enough). On the APT repo server the jenkins user can call a
single script via sudo to deploy new .deb packages. This works exactly
as I had hoped it would.

Thanks again,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20130525/141253bd/attachment.bin

More information about the Kerberos mailing list