Fwd: [OpenAFS] "reauth" code?

Russ Allbery rra@stanford.edu
Fri, 31 Aug 2012 09:27:11 -0700

Booker Bense <bbense@gmail.com> writes:

> I haven't yet seen a "right way" to do this in kerberos. Ideally you'd
> like an alternate key that can only be used from certain machines, to
> run certain programs.

This is one of the things that rxgk would give you, using combined tokens.

> Renewable and long life tickets can solve the batch problem with enough
> support. K5start is suitable for daemons, but cron is very difficult.

> The closest to "right" that I've seen is to create an alternate
> principal, user/cron@realm.org, stuff the key into a keytab and then
> keep tweaking acl's until the cron job can do everything it needs
> to. Secure, but inflicts a lot of user pain.

Yup, that's what we do here for cron jobs (primarily for web applications,
not for compute tasks).  We have a cron service that creates a /cron
principal for the user and runs jobs with tickets and tokens for that
principal.  The user can then add ACLs in AFS on appropriate directories.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>