[OpenAFS] Cron jobs without service keytab
Lukas Kubin
kubin@opf.slu.cz
Tue, 13 Apr 2004 16:45:36 +0200
This is a cryptographically signed message in MIME format.
--------------ms030402010703070602070108
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Mark Montague wrote:
> On Tue, 13 Apr 2004, Lukas Kubin wrote:
>
>
>>>No. Why don't you want to use keytabs? I'm not saying "you should
>>>use keytabs" but if you can tell me why you do not want to use them,
>>>I might be able to suggest another solution that would satisfy your
>>>requirements.
>>
>>Sure. The reason is I wish the common users to work with the AFS system
>>just like with any other common Linux system both on a multiuser
>>application server and their workstations in campus.
>>It would bring more administrative work to create and manage such
>>specific principals. Also I would have to treat such principals like
>>they were another users in our system - ie. I have to create additional
>>LDAP, pts entries, set up their ACLs etc.
>
>
> I don't think that what you want is possible. The reason is that,
> unlike most deploments of NFS, AFS servers do not trust the AFS
> clients to say who users are -- users have to prove their identities
> to the server in order to access their AFS files. This is an
> intentional feature of AFS -- some degree of transparancy and
> ease of use was given up in favor of security, which is necessary
> if AFS was to be a world-wide highly distributed networked filesystem.
>
> Your options here include:
>
> - For each user who wants to run a cron job that needs to
> access protected files in AFS, set up an additional
> Kerberos principal and PTS entry for them. The Kerberos
> principal would be username/cron@REALMNAME and the PTS
> principal would be username.cron You then create a keytab
> for username/cron@REALMNAME which you put on the machine
> that runs the cron job and permit so that only the user can
> read it. You then grant the appropriate AFS filesystem
> rights to username.cron using the "fs setacl" command so
> that a script running with a token obtained from the keytab
> can read and/or write to the necessary files in the
> user's home directory. You then tell the user that the
> first thing their cron job needs to do is get a token.
> Russ posted a URL last week to a web page containing some
> scripts that might be useful for this, or you can use
> the commands:
> kinit -k -t /path/to/keytab username/cron@REALMNAME
> aklog
> This is an additional hassle to set up, but it is in
> exchange for real security -- when set up properly, AFS
> will protect both the user's identity and their data.
> Hopefully, most users won't need to run cron jobs. Of
> those users who do need to run cron jobs, many cron jobs
> might be able to run with just system:anyuser access to
> things in AFS (for example, many cron jobs could be written
> to use a temporary data directory on the local machine).
> So hopefully, you won't need to set up any keytabs.
>
> - An alternative option is to set up cron to acquire a
> token for users. Note that this would be a Kerberos
> principal of the form machinename/cron@REALMNAME with
> a corresponding PTS entry of machinename.cron. All users
> who ran cron jobs would get the same token. This has
> the downside that if one user grants machinename.cron
> write access to a subdirectory in their home directory,
> all other users cronjobs will have write access to this
> subdirectory, too. This is less secure and less flexible
> than the first option above, and, depending on your system,
> you may need to make changes to your cron daemon startup
> script, your PAM configuration, your PAM modules, and/or
> changes to the cron daemon source code.
>
> Here at the College of Literature, Science, and the Arts at
> the University of Michigan, we use the first option above.
>
> AFS comes with more administrative overhead than other filesystems,
> but it also has more features and better security. My opinion
> is that the administrative overhead is reasonable and worth the
> benefits that it brings.
>
> If your requirements are to have something that the users do not
> have to do anything special for, ever, then NFS is closer to
> meeting your need. Note, however, that you'll be giving up a
> lot of the features and security that AFS has. Also note that
> some versions of NFS support Kerberos, and in these cases, if
> you use the Kerberos support in NFS, you'll have the same sorts
> of problems that you are currently having with AFS.
>
> Sorry I can't provide the answer you were looking for.
Thank you. I started this thread to ensure myself I'm not missing any
existing way how to deal with cron jobs in AFS-based network. After your
exhaustive description I'm quite sure what options do I really have :-)
Thank you all a lot.
lukas
--
Lukas Kubin
phone: +420596398275
email: kubin@opf.slu.cz
Information centre
The School of Business Administration in Karvina
Silesian University in Opava
Czech Republic
http://www.opf.slu.cz
--------------ms030402010703070602070108
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGbDCC
AzIwggIaoAMCAQICAgDmMA0GCSqGSIb3DQEBBAUAMDIxCzAJBgNVBAYTAkNaMQ8wDQYDVQQK
EwZDRVNORVQxEjAQBgNVBAMTCUNFU05FVCBDQTAeFw0wMzExMTkxNDM4NTdaFw0wNDExMTgx
NDM4NTdaMEUxDzANBgNVBAoTBkNFU05FVDEcMBoGA1UEChMTU2lsZXNpYW4gVW5pdmVyc2l0
eTEUMBIGA1UEAxMLbHVrYXMga3ViaW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL7l
zAuBktAjhaVuPR0S2kwnO/xt1fp9D2GdLpxu2NcqUsuyEC00k3VHEijgFzcNt7+QviV1y5nq
P3nmCqk+eNp20Z3qrYZKGh0YTho/qPESyjFZ4P2NmV7W+SewXZ0IEtxD/DaOMQo8kww1ho5y
zaxVgSRItwefSBEMmFYdqrxpAgMBAAGjgcIwgb8wHQYDVR0OBBYEFNBqBwZMDvExebpgW4m8
MCWtsegvMB8GA1UdIwQYMBaAFPhWGtmaeJVttIiEVTUvqgbz1yBaMDUGA1UdHwQuMCwwKqAo
oCaGJGh0dHA6Ly93d3cuY2VzbmV0LmN6L3BraS9jcmwvY2NhLmNybDAOBgNVHQ8BAf8EBAMC
BPAwGwYDVR0RBBQwEoEQa3ViaW5Ab3BmLnNsdS5jejAZBgNVHSAEEjAQMA4GDCsGAQQBvnkB
AgIBATANBgkqhkiG9w0BAQQFAAOCAQEAuI/sMxZZa78h5+Mzo3IhgSxrVMl5Hbm2YgLWLHAx
QG1NxG0W9bkggMmRWrW8Xotr8VPA4IySqBiVwOlVMdZ5GNcUiSCrrFU6zfxAXD6dAJuEHGfb
Vz/dQntptJ9Dz/URteoMleNZjn2gPaLELEax2gaF+2cvbpW521CFJrxxMc2LdScRDBCFapWO
GNbxqSflLqbT8TsrbmS1V6zUicXf2eUurKA36/psbtFdG03vVaD3+V+RMgHr6X5k1NUfDfSI
pmX7irFEn7tMrxq630NTJUrEm1w4ivK/+f+6+F0ozeaamYS/Gm7LUFSgA15ZDtGCKySWQp2V
B+gwUKfc+8R+WjCCAzIwggIaoAMCAQICAgDmMA0GCSqGSIb3DQEBBAUAMDIxCzAJBgNVBAYT
AkNaMQ8wDQYDVQQKEwZDRVNORVQxEjAQBgNVBAMTCUNFU05FVCBDQTAeFw0wMzExMTkxNDM4
NTdaFw0wNDExMTgxNDM4NTdaMEUxDzANBgNVBAoTBkNFU05FVDEcMBoGA1UEChMTU2lsZXNp
YW4gVW5pdmVyc2l0eTEUMBIGA1UEAxMLbHVrYXMga3ViaW4wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAL7lzAuBktAjhaVuPR0S2kwnO/xt1fp9D2GdLpxu2NcqUsuyEC00k3VHEijg
FzcNt7+QviV1y5nqP3nmCqk+eNp20Z3qrYZKGh0YTho/qPESyjFZ4P2NmV7W+SewXZ0IEtxD
/DaOMQo8kww1ho5yzaxVgSRItwefSBEMmFYdqrxpAgMBAAGjgcIwgb8wHQYDVR0OBBYEFNBq
BwZMDvExebpgW4m8MCWtsegvMB8GA1UdIwQYMBaAFPhWGtmaeJVttIiEVTUvqgbz1yBaMDUG
A1UdHwQuMCwwKqAooCaGJGh0dHA6Ly93d3cuY2VzbmV0LmN6L3BraS9jcmwvY2NhLmNybDAO
BgNVHQ8BAf8EBAMCBPAwGwYDVR0RBBQwEoEQa3ViaW5Ab3BmLnNsdS5jejAZBgNVHSAEEjAQ
MA4GDCsGAQQBvnkBAgIBATANBgkqhkiG9w0BAQQFAAOCAQEAuI/sMxZZa78h5+Mzo3IhgSxr
VMl5Hbm2YgLWLHAxQG1NxG0W9bkggMmRWrW8Xotr8VPA4IySqBiVwOlVMdZ5GNcUiSCrrFU6
zfxAXD6dAJuEHGfbVz/dQntptJ9Dz/URteoMleNZjn2gPaLELEax2gaF+2cvbpW521CFJrxx
Mc2LdScRDBCFapWOGNbxqSflLqbT8TsrbmS1V6zUicXf2eUurKA36/psbtFdG03vVaD3+V+R
MgHr6X5k1NUfDfSIpmX7irFEn7tMrxq630NTJUrEm1w4ivK/+f+6+F0ozeaamYS/Gm7LUFSg
A15ZDtGCKySWQp2VB+gwUKfc+8R+WjGCAicwggIjAgEBMDgwMjELMAkGA1UEBhMCQ1oxDzAN
BgNVBAoTBkNFU05FVDESMBAGA1UEAxMJQ0VTTkVUIENBAgIA5jAJBgUrDgMCGgUAoIIBRTAY
BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNDA0MTMxNDQ1MzZa
MCMGCSqGSIb3DQEJBDEWBBTxz3nA1Wm7LbU2+s0A9CdgY8eUzTBHBgkrBgEEAYI3EAQxOjA4
MDIxCzAJBgNVBAYTAkNaMQ8wDQYDVQQKEwZDRVNORVQxEjAQBgNVBAMTCUNFU05FVCBDQQIC
AOYwSQYLKoZIhvcNAQkQAgsxOqA4MDIxCzAJBgNVBAYTAkNaMQ8wDQYDVQQKEwZDRVNORVQx
EjAQBgNVBAMTCUNFU05FVCBDQQICAOYwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAO
BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgw
DQYJKoZIhvcNAQEBBQAEgYA/jGmk/vQm3b2sbnqzLNCTmz7DpKSFBUUmtIhw6IXNyyC40pX6
GSILATAdJF9TzNzZzvE8xrqOCTGiqqEjgCCmQIanQgrtv6Rx5sptBBuR4UIuS1dgcYWO8b6r
QA1XCA+379dfEchDHYUSZ0ptsDx/WwYy516ugw7aMR3aNQqtLgAAAAAAAA==
--------------ms030402010703070602070108--