Automatic Renewal of Kerberos Tickets

0ddba11 · 03-01-2010, 05:27 AM

Hi All,

Over the last few weeks I have rapidly been coming up to speed with all things Kerberos and I'm pretty much sorted apart from one thing.

On our Solaris machines I can use the 'ktkt_warnd' daemon to automatically renew user's tickets up to the maximum renewal time of the ticket.

However, I'm not sure how I do this on our Linux machines (Red Hat Enterprise 4).

Does anyone know of a daemon for Linux that provides the same sort of functionality?

Many thanks.

0ddba11 · 03-05-2010, 07:48 AM

Since I've not really found anything better, I wrote the following script that cron (for now) runs every minute to renew kerberos tickets:

Code:

#!/bin/bash
for f in $( ls -1 /tmp/krb5cc* 2> /dev/null )
do
        OWNER=$( ls -l $f | awk '{print $3}' )
        GROUP=$( ls -l $f | awk '{print $4}' )
        EXPIRE_TIME=$( date -d "$( klist -c $f | grep krbtgt | awk '{print $3, $4}' )" +%s )
        if [ $( expr $EXPIRE_TIME - $( date +%s ) ) -le 300 ]
        then
                kinit -R -c $f
                chown $OWNER:$GROUP $f
        fi
done

I would welcome constructive criticism on this as I'm still relatively new to Kerberos.

0ddba11 · 03-08-2010, 08:37 AM

Well, the script has now evolved into a daemon that I call during machine startup, here it is for reference / in case it helps anyone out.

Code:

#!/bin/bash

# A small function to write an entry to the messages file
function msg {
        logger -t "k5renewd[$$]" "$1"
}

# LOCKFILE will contain the PID of this process
LOCKFILE=/var/lock/k5renewd

# If the lockfile already exists then another process must be running
if [ -f $LOCKFILE ]; then
        msg "Error: Daemon already running with pid $( cat $LOCKFILE )"
        exit 1
fi

# Echo this process's id to the LOCKFILE
echo $$ > $LOCKFILE

# Make sure we remove LOCKFILE of the process is killed
trap "{ rm -f $LOCKFILE; msg 'Daemon Stopped'; exit 255; }" EXIT

msg "Daemon Started"

# Go into an infinite loop with a 60 second pause between each iteration
while :; do
        # For every cache file we find do some stuff
        for CACHE_FILE in $( find /tmp -type f -maxdepth 1 -name 'krb5cc*' ); do
                # Find the current owner and group of the ticket cache
                OWNER=$( ls -n $CACHE_FILE | awk '{print $3}' )
                GROUP=$( ls -n $CACHE_FILE | awk '{print $4}' )

                # Find the expirey time of the ticket granting ticket
                EXPIRE_TIME=$( date -d "$( klist -c $CACHE_FILE | grep krbtgt | awk '{print $3, $4}' )" +%s )

                # If it has already expired, might as well delete it
                if [ $( date +%s ) -ge $EXPIRE_TIME ]; then
                        kdestroy -c $CACHE_FILE &> /dev/null
                        msg "Removed expired ticket cache ($CACHE_FILE) for user $OWNER"

                # Otherwise renew it
                elif [ $( expr $EXPIRE_TIME - $( date +%s ) ) -le 300 ]; then
                        kinit -R -c $CACHE_FILE &> /dev/null
                        if [ $? -ne 0 ]; then
                                msg "An error occurred renewing $CACHE_FILE"
                        else
                                chown $OWNER:$GROUP $CACHE_FILE &> /dev/null
                                msg "Renewed ticket cache ($CACHE_FILE) for user $OWNER"
                        fi
                fi
        done

        # Wait for a minute and then go round again
        sleep 60
done

haizaar · 09-02-2010, 09:39 AM

What's the point of automatic renewing? - just set your kdc to issue tickets for a longer live time.

You may also want to look at kstart utility - http://packages.debian.org/lenny/kstart

0ddba11 · 09-02-2010, 02:15 PM

Wow - I had long forgotten about this thread!

The point of automatic renewing is security.

We have users who run analysis jobs for days (sometimes weeks) at a time, so the expiry time would have to be in excess of 90 days for example.

If a user was to leave the company, or get the sack, their credentials / login, could remain valid for up to 3 months ofter they have left using their cached credentials.

You are right though, I discovered the kstart utilities some time ago which do exactly what I want.