LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-01-2010, 05:27 AM   #1
0ddba11
Member
 
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46

Rep: Reputation: 15
Question Automatic Renewal of Kerberos Tickets


Hi All,

Over the last few weeks I have rapidly been coming up to speed with all things Kerberos and I'm pretty much sorted apart from one thing.

On our Solaris machines I can use the 'ktkt_warnd' daemon to automatically renew user's tickets up to the maximum renewal time of the ticket.

However, I'm not sure how I do this on our Linux machines (Red Hat Enterprise 4).

Does anyone know of a daemon for Linux that provides the same sort of functionality?

Many thanks.
 
Old 03-05-2010, 07:48 AM   #2
0ddba11
Member
 
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46

Original Poster
Rep: Reputation: 15
Since I've not really found anything better, I wrote the following script that cron (for now) runs every minute to renew kerberos tickets:

Code:
#!/bin/bash
for f in $( ls -1 /tmp/krb5cc* 2> /dev/null )
do
        OWNER=$( ls -l $f | awk '{print $3}' )
        GROUP=$( ls -l $f | awk '{print $4}' )
        EXPIRE_TIME=$( date -d "$( klist -c $f | grep krbtgt | awk '{print $3, $4}' )" +%s )
        if [ $( expr $EXPIRE_TIME - $( date +%s ) ) -le 300 ]
        then
                kinit -R -c $f
                chown $OWNER:$GROUP $f
        fi
done
I would welcome constructive criticism on this as I'm still relatively new to Kerberos.
 
Old 03-08-2010, 08:37 AM   #3
0ddba11
Member
 
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46

Original Poster
Rep: Reputation: 15
Well, the script has now evolved into a daemon that I call during machine startup, here it is for reference / in case it helps anyone out.

Code:
#!/bin/bash

# A small function to write an entry to the messages file
function msg {
        logger -t "k5renewd[$$]" "$1"
}

# LOCKFILE will contain the PID of this process
LOCKFILE=/var/lock/k5renewd

# If the lockfile already exists then another process must be running
if [ -f $LOCKFILE ]; then
        msg "Error: Daemon already running with pid $( cat $LOCKFILE )"
        exit 1
fi

# Echo this process's id to the LOCKFILE
echo $$ > $LOCKFILE

# Make sure we remove LOCKFILE of the process is killed
trap "{ rm -f $LOCKFILE; msg 'Daemon Stopped'; exit 255; }" EXIT

msg "Daemon Started"

# Go into an infinite loop with a 60 second pause between each iteration
while :; do
        # For every cache file we find do some stuff
        for CACHE_FILE in $( find /tmp -type f -maxdepth 1 -name 'krb5cc*' ); do
                # Find the current owner and group of the ticket cache
                OWNER=$( ls -n $CACHE_FILE | awk '{print $3}' )
                GROUP=$( ls -n $CACHE_FILE | awk '{print $4}' )

                # Find the expirey time of the ticket granting ticket
                EXPIRE_TIME=$( date -d "$( klist -c $CACHE_FILE | grep krbtgt | awk '{print $3, $4}' )" +%s )

                # If it has already expired, might as well delete it
                if [ $( date +%s ) -ge $EXPIRE_TIME ]; then
                        kdestroy -c $CACHE_FILE &> /dev/null
                        msg "Removed expired ticket cache ($CACHE_FILE) for user $OWNER"

                # Otherwise renew it
                elif [ $( expr $EXPIRE_TIME - $( date +%s ) ) -le 300 ]; then
                        kinit -R -c $CACHE_FILE &> /dev/null
                        if [ $? -ne 0 ]; then
                                msg "An error occurred renewing $CACHE_FILE"
                        else
                                chown $OWNER:$GROUP $CACHE_FILE &> /dev/null
                                msg "Renewed ticket cache ($CACHE_FILE) for user $OWNER"
                        fi
                fi
        done

        # Wait for a minute and then go round again
        sleep 60
done
 
Old 09-02-2010, 09:39 AM   #4
haizaar
LQ Newbie
 
Registered: Feb 2010
Location: Israel
Posts: 6

Rep: Reputation: 0
What's the point of automatic renewing? - just set your kdc to issue tickets for a longer live time.

You may also want to look at kstart utility - http://packages.debian.org/lenny/kstart
 
Old 09-02-2010, 02:15 PM   #5
0ddba11
Member
 
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46

Original Poster
Rep: Reputation: 15
Wow - I had long forgotten about this thread!

The point of automatic renewing is security.

We have users who run analysis jobs for days (sometimes weeks) at a time, so the expiry time would have to be in excess of 90 days for example.

If a user was to leave the company, or get the sack, their credentials / login, could remain valid for up to 3 months ofter they have left using their cached credentials.

You are right though, I discovered the kstart utilities some time ago which do exactly what I want.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Cant get kerberos tickets-nothing happens? project722 Linux - Networking 5 06-08-2009 05:13 AM
Linux Daemons and Kerberos Tickets neel_learning_linux Linux - Newbie 1 04-07-2009 07:40 PM
Automatic renewal of network config through DHCP elluva Ubuntu 1 01-22-2006 03:37 PM
dhcp renewal Gollum78 Ubuntu 2 10-15-2005 04:43 AM
IP Address renewal.. sancho5 Linux - Networking 2 11-23-2001 08:18 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration