Fwd: [OpenAFS] "reauth" code?
Russ Allbery
rra@stanford.edu
Fri, 31 Aug 2012 09:27:11 -0700
Booker Bense <bbense@gmail.com> writes:
> I haven't yet seen a "right way" to do this in kerberos. Ideally you'd
> like an alternate key that can only be used from certain machines, to
> run certain programs.
This is one of the things that rxgk would give you, using combined tokens.
> Renewable and long life tickets can solve the batch problem with enough
> support. K5start is suitable for daemons, but cron is very difficult.
> The closest to "right" that I've seen is to create an alternate
> principal, user/cron@realm.org, stuff the key into a keytab and then
> keep tweaking acl's until the cron job can do everything it needs
> to. Secure, but inflicts a lot of user pain.
Yup, that's what we do here for cron jobs (primarily for web applications,
not for compute tasks). We have a cron service that creates a /cron
principal for the user and runs jobs with tickets and tokens for that
principal. The user can then add ACLs in AFS on appropriate directories.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>