[OpenAFS] tokens for long processes

Charles Clancy security@xauth.net
Tue, 4 Mar 2003 19:28:14 -0600 (CST)


On Wed, 5 Mar 2003, Nathan Ward wrote:

> As I use Kerberos 5, I am able to store the key for my 'task user' in a
> keytab and then call kinit with that keytab and then aklog. This is an
> ok solution and while the system could be hacked and that keytab stolen,
> the security is better than IP address.

You can do this with kaserver too.  You just need to create a srvtab with
the appropriate key in it.  Then with some krb4 tools, you can use it.

I have a perl script to create such a srvtab:
	http://ismene.csl.uiuc.edu/~tclancy/makesrvtab

You'll need to install a krb4 distribution and configure /etc/krb.*
appropriately.  Here are some useful commands for manipulating the srvtab:

See what keys are in the srvtab:
$ klist -f /path/to/srvtab -srvtab

Get an AFS token with the srvtab:
$ kauth [username] -f /path/to/srvtab

If you don't like my utility, krb4 comes with a clumsy one:
$ ksrvutil -f /path/to/srvtab -p [username] -r [cellname] add
You'll be prompted for some info:
	Name = your username
	Instance = leave blank (unless you have user.instance principals)
	Realm = cell name in all caps
	Version number = kvno from "kas examine username"
	Password = your password

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]