Integration of k5start/krenew functionality

Russ Allbery rra at
Mon Aug 3 15:05:27 EDT 2009

Ken Hornstein <kenh at> writes:

> So ... you've USED pagsh, right?  It invokes /bin/sh with the exact
> arguments you give on the command line.  That means you need to build up
> a command line using -c ... and I've found complicated quoting there can
> get hairy very quickly.  Russ's tools were just easier.

I think the assumption that people are making here is that you'd create a
generic wrapper script that would look something like:

    aklog && exec "$@"

and then run something like

    kinit -k -t /path/to/keytab -- afs-wrapper command arg arg arg

The problem with the simplistic approach, of course, is that since the
command is now in a separate PAG from the running k5start process, there's
no way to renew those AFS tokens.  The afs-wrapper script would have to be
more sophisticated than this, since it would need to wake up periodically
to check whether the ticket cache has been updated and then re-run aklog
appropriately.  Since that's exactly the same logic that k5start needs for
renewing the ticket cache, k5start's design is simpler and has less that
can go wrong.

BTW, on the side of pulling k5start options into kinit, one that would be
very useful and is simple to implement would be k5start's -U option, which
says to determine the principal with which to authenticate by reading the
keytab and using the principal of the first entry in the keytab.  We
discovered with k5start that this is a *huge* help for scripts.  We have a
variety of scripts that are now generic rather than customized for each
service or host since the only thing that changed was the principal as
which they should run and that's now read from their keytab.

Russ Allbery (rra at             <>

More information about the krbdev mailing list