Kerberos Scripts for Renewing Tickets

#!/bin/sh
## Argument should be a relative time for 'at'
##	e.g. 'now + 8 hours'

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
KINIT_FLAGS="-RA -r7d -l1d"      # -r7m -l3d

## If this is the first run, we need to save some info
if [ -z ${rtx_atprog} ]
then
  rtx_atprog=$0
  rtx_time=$*
  export rtx_atprog rtx_time
fi

## Renew my Kerberos ticket
kinit ${KINIT_FLAGS} || exit
## Schedule next renewal
at -f ${rtx_atprog} ${rtx_time} 2>&1 > /dev/null

#!/bin/sh
## Generic wrapper script for obtaining Kerberos tickets
##	and maintaining their validity
## The script is designed to be linked to the name of
##	the actual program desired by the user

## Note: This path should exclude the location of auth_wrapper
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
export PATH
REAL_CMD=$(basename $0)
## renew_tgt should be in the same directory as auth_wrapper
RENEW_TGT=$(dirname $0)/renew_tgt
RENEW_ARGS="now + 8 hours"	# now + 24 hours
KINIT_FLAGS="-A -r7d -l1d"	# -r7m -l3d
PRINCIPAL=${USER}@UCAR.EDU	# ${USER}/hpss@UCAR.EDU
## These may already be set in the environment
UID=$(grep ${USER} /etc/passwd | cut -f3 -d:)
#HOME=$(grep ${USER} /etc/passwd | cut -f6 -d:)

## Create a dedicated credentials cache if one isn't set
if [ -z $KRB5CCNAME ]
then
  KRB5CCNAME=FILE:${HOME}/.krb5cc_${UID}_${REAL_CMD}.$$
  export KRB5CCNAME
fi

## Check if we have a valid TGT, and get one if we don't
## Keep that TGT valid until the renewal lifetime expires
klist -s || $(kinit ${KINIT_FLAGS} $PRINCIPAL \
  && ${RENEW_TGT} ${RENEW_ARGS} 2>&1 > /dev/null)
## Abort if we still don't have a valid TGT
klist -s || exit 1

## Run wrapped command
exec ${REAL_CMD} $*

You need to request renewable tickets in your first command.  That's the
'-r' flag, and '7d' is the max allowed renewable lifetime.  So try this:

	kinit -r7d	# This should get you a ticket good for 8 hours,
			# and renewable for tickets valid up to one week
			# from now
	klist -f	# This should show that the ticket has the
			# renewable flag set
	kinit -R	# This should get you another 8-hour ticket
			# without requesting your passphrase

/usr/krb5/bin/kinit -R -r7d -l1d


You only use the '-R' option when renewing, not when authenticating the
first time.  To get your initial tickets use:

	kinit -r7d -l1d

================

I've tried to boil things down to basics.  Here's a simple self-renewing
at(1) job that will keep your tickets renewed:

#!/bin/sh
## Argument should be a relative time for 'at'
##	e.g. 'now + 8 hours'
## If this is the first run, we need to save some info
if [ "${rtx_atprog}" = "" ]
then
 rtx_atprog=$0
 export rtx_atprog
 rtx_time=$*
 export rtx_time
fi

## Renew my Kerberos ticket
kinit -R -r7d -l1d || exit
## Schedule next renewal
at -f ${rtx_atprog} ${rtx_time} 2>&1 > /dev/null

If you are running a periodic process out of cron, it's fairly easy to
just renew the tickets each time the job is run, e.g.

10 1 11,21,31 * * kinit -R -r7d -l1d || exit; my_cron_job

Attachments

  File Modified
No files shared here yet.
  • No labels