[OpenAFS] Renewing tokens for long-running jobs

Russ Allbery rra@stanford.edu
Thu, 22 Feb 2007 07:26:50 -0800


Jason Edgecombe <openafs@rampaginggeek.com> writes:

> Does anyone have a script that reauthenticates a users process for a
> long running job? I'm looking for something that you can run before a
> job or during the job that asks for the user's password and
> reauthenticates to kerberos 5 and renews the tokens. The users wants to
> run jobs for 15 days and I don't want to extend the kerberos ticket
> lifetime for that long.

We have such a program, but only for Kerberos v4, which probably isn't
very useful.  However, I would strongly encourage you to *not* do this,
since having the user's password sitting around in a running process isn't
a great security practice.

Instead, rather than increasing the maximum ticket lifetime, increase the
*renewable* ticket lifetime to 15 days.  That's what renewable tickets are
for.  Then, have the user run their job via a program such as krenew from:

    <http://www.eyrie.org/~eagle/software/kstart/>

to automatically renew their tickets periodically.  The advantage of using
renewable tickets over extended lifetime tickets is that if you invalidate
the user's Kerberos entry for any reason (such as evidence of a compromise
or, I *believe*, a key change), the ticket will only be valid for the
regular lifetime of your tickets and the renewal will be rejected by the
KDC.  And that way the user's password isn't sitting around anywhere.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>