[OpenAFS] tokens for long processes
Charles Clancy
security@xauth.net
Tue, 4 Mar 2003 19:28:14 -0600 (CST)
On Wed, 5 Mar 2003, Nathan Ward wrote:
> As I use Kerberos 5, I am able to store the key for my 'task user' in a
> keytab and then call kinit with that keytab and then aklog. This is an
> ok solution and while the system could be hacked and that keytab stolen,
> the security is better than IP address.
You can do this with kaserver too. You just need to create a srvtab with
the appropriate key in it. Then with some krb4 tools, you can use it.
I have a perl script to create such a srvtab:
http://ismene.csl.uiuc.edu/~tclancy/makesrvtab
You'll need to install a krb4 distribution and configure /etc/krb.*
appropriately. Here are some useful commands for manipulating the srvtab:
See what keys are in the srvtab:
$ klist -f /path/to/srvtab -srvtab
Get an AFS token with the srvtab:
$ kauth [username] -f /path/to/srvtab
If you don't like my utility, krb4 comes with a clumsy one:
$ ksrvutil -f /path/to/srvtab -p [username] -r [cellname] add
You'll be prompted for some info:
Name = your username
Instance = leave blank (unless you have user.instance principals)
Realm = cell name in all caps
Version number = kvno from "kas examine username"
Password = your password
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]