Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-01-2010, 05:27 AM
|
#1
|
Member
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46
Rep:
|
Automatic Renewal of Kerberos Tickets
Hi All,
Over the last few weeks I have rapidly been coming up to speed with all things Kerberos and I'm pretty much sorted apart from one thing.
On our Solaris machines I can use the 'ktkt_warnd' daemon to automatically renew user's tickets up to the maximum renewal time of the ticket.
However, I'm not sure how I do this on our Linux machines (Red Hat Enterprise 4).
Does anyone know of a daemon for Linux that provides the same sort of functionality?
Many thanks.
|
|
|
03-05-2010, 07:48 AM
|
#2
|
Member
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46
Original Poster
Rep:
|
Since I've not really found anything better, I wrote the following script that cron (for now) runs every minute to renew kerberos tickets:
Code:
#!/bin/bash
for f in $( ls -1 /tmp/krb5cc* 2> /dev/null )
do
OWNER=$( ls -l $f | awk '{print $3}' )
GROUP=$( ls -l $f | awk '{print $4}' )
EXPIRE_TIME=$( date -d "$( klist -c $f | grep krbtgt | awk '{print $3, $4}' )" +%s )
if [ $( expr $EXPIRE_TIME - $( date +%s ) ) -le 300 ]
then
kinit -R -c $f
chown $OWNER:$GROUP $f
fi
done
I would welcome constructive criticism on this as I'm still relatively new to Kerberos.
|
|
|
03-08-2010, 08:37 AM
|
#3
|
Member
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46
Original Poster
Rep:
|
Well, the script has now evolved into a daemon that I call during machine startup, here it is for reference / in case it helps anyone out.
Code:
#!/bin/bash
# A small function to write an entry to the messages file
function msg {
logger -t "k5renewd[$$]" "$1"
}
# LOCKFILE will contain the PID of this process
LOCKFILE=/var/lock/k5renewd
# If the lockfile already exists then another process must be running
if [ -f $LOCKFILE ]; then
msg "Error: Daemon already running with pid $( cat $LOCKFILE )"
exit 1
fi
# Echo this process's id to the LOCKFILE
echo $$ > $LOCKFILE
# Make sure we remove LOCKFILE of the process is killed
trap "{ rm -f $LOCKFILE; msg 'Daemon Stopped'; exit 255; }" EXIT
msg "Daemon Started"
# Go into an infinite loop with a 60 second pause between each iteration
while :; do
# For every cache file we find do some stuff
for CACHE_FILE in $( find /tmp -type f -maxdepth 1 -name 'krb5cc*' ); do
# Find the current owner and group of the ticket cache
OWNER=$( ls -n $CACHE_FILE | awk '{print $3}' )
GROUP=$( ls -n $CACHE_FILE | awk '{print $4}' )
# Find the expirey time of the ticket granting ticket
EXPIRE_TIME=$( date -d "$( klist -c $CACHE_FILE | grep krbtgt | awk '{print $3, $4}' )" +%s )
# If it has already expired, might as well delete it
if [ $( date +%s ) -ge $EXPIRE_TIME ]; then
kdestroy -c $CACHE_FILE &> /dev/null
msg "Removed expired ticket cache ($CACHE_FILE) for user $OWNER"
# Otherwise renew it
elif [ $( expr $EXPIRE_TIME - $( date +%s ) ) -le 300 ]; then
kinit -R -c $CACHE_FILE &> /dev/null
if [ $? -ne 0 ]; then
msg "An error occurred renewing $CACHE_FILE"
else
chown $OWNER:$GROUP $CACHE_FILE &> /dev/null
msg "Renewed ticket cache ($CACHE_FILE) for user $OWNER"
fi
fi
done
# Wait for a minute and then go round again
sleep 60
done
|
|
|
09-02-2010, 09:39 AM
|
#4
|
LQ Newbie
Registered: Feb 2010
Location: Israel
Posts: 6
Rep:
|
What's the point of automatic renewing? - just set your kdc to issue tickets for a longer live time.
You may also want to look at kstart utility - http://packages.debian.org/lenny/kstart
|
|
|
09-02-2010, 02:15 PM
|
#5
|
Member
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46
Original Poster
Rep:
|
Wow - I had long forgotten about this thread!
The point of automatic renewing is security.
We have users who run analysis jobs for days (sometimes weeks) at a time, so the expiry time would have to be in excess of 90 days for example.
If a user was to leave the company, or get the sack, their credentials / login, could remain valid for up to 3 months ofter they have left using their cached credentials.
You are right though, I discovered the kstart utilities some time ago which do exactly what I want.
|
|
|
All times are GMT -5. The time now is 04:00 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|