[OpenAFS] Some beginner questions

Daniel Clark/Cambridge/IBM daniel_clark@us.ibm.com
Wed, 16 Oct 2002 10:49:04 -0400





> > 2. Can non-interactive scripts access AFS space?  For instance, is it
> > possible for root or a generic user to run commands from cron which
> > access AFS space? I don't see how these scripts would obtain tokens
> > without someone manually entering in a password at some point.
>
> Sort of.  You can use (relatively insecure) IP ACLs..  Or you can use
> a "keytab" based system (where the server running the long-job stores
> a password in a file readable only by root and obtains a token for AFS
> using that keytab).

Another option is OpenPBS [1] and Password Storage and Retrieval (PSR) [2],
where you encrypt your AFS password with a public key and put it in your
home directory, and trusted machine(s) which have the private key on local
disk then decrypt your password and run your job. MIT uses a variant of
this [3] [4] that uses their own code (see [5] sections III and IV) instead
of PSR.

[1] http://www.openpbs.org/
[2] http://www.lam-mpi.org/software/psr/
[3] http://web.mit.edu/longjobs/www/
[4] http://mit.edu/longjobs-dev/notebook/
[5] http://web.mit.edu/longjobs-dev/doc/netsec.txt

--
Daniel Clark # Sys Admin & Release Engineer
IBM > Lotus > Messaging Technology Group