[OpenAFS] Re: AFS Backups

Matthew A. Bacchi mbacchi@btv.ibm.com
Tue, 14 May 2002 13:46:05 -0400


>Has anyone tried running AFS backups as a cronjob? I tried it over the 
>weekend, but I cannot obtain tokens through cron (well, I could, but I'd 
>rather not leave the admin password in a text script). Any ideas would be 
>greatly appreciated.

You can do this most securely by putting your AFS userid password in a
file on the local filesystem, readable only by root.  Then, you use
klog with the "-pipe </passwdfile" switch to get tokens after using
pagsh to get a pag and issue your backup commands.  Don't forget to
unlog after the backup is finished, before exiting the pag.

The assumption that storing your AFS admin password in a file will
create a security hazard is only problematic in an environment where
you cannot trust your system administrators with the root password.
You should not be running other services on AFS servers where root
access can be gained using remote exploits, so the scenario in which a
cracker gets root, and then admin access to AFS should not happen.

-Matt