ScreenKerberos

From NA-Wiki

Revision as of 14:46, 9 October 2008 by Holst (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Background

If you use 'screen' and want to have Kerberos keys that last for a long time you probably want to redefine the KRB5CCNAME variable and copy the longtime keys somewhere such that the screen saver etc. does not overwrite them with short-time keys.

This is a session that demonstrates the behavior:

na56:~>kinit -f --renewable -l 10000000
holst@NADA.KTH.SE's Password: 
kinit: NOTICE: ticket lifetime is 1 month
na56:~>klist -Tf
Credentials cache: FILE:/tmp/tmp.qoJGdx6168
        Principal: holst@NADA.KTH.SE

  Issued           Expires        Flags    Principal
Sep  5 11:46:54  Oct  5 11:46:54  FRI    krbtgt/NADA.KTH.SE@NADA.KTH.SE
Sep  5 11:46:54  Oct  5 11:46:54         krbtgt/NADA.KTH.SE@NADA.KTH.SE
Sep  5 11:46:54  Oct  5 11:46:54         afs@NADA.KTH.SE
Sep  5 11:46:54  Oct  5 11:46:54         afs/pdc.kth.se@NADA.KTH.SE

Sep  5 11:46:54  Oct  5 11:46:53  User's (AFS ID 44078) tokens for pdc.kth.se
Sep  5 11:46:54  Oct  5 11:46:53  User's (AFS ID 44078) tokens for nada.kth.se
na56:~>cp -v /tmp/tmp.qoJGdx6168 `mktemp`
`/tmp/tmp.qoJGdx6168' -> `/tmp/tmp.LloBiL6213'
na56:~>setenv KRB5CCNAME /tmp/tmp.LloBiL6213
na56:~>screen -U
na56:~>afslog

Why is it needed?

If you do not immediately understand why this is important try the following:

  1. Do a kinit -l 1000000 to get a longtime Kerberos key.
  2. Start a screen.
  3. Outside the screen, do a kinit, to get a short-time key.
  4. Inside the screen, do klist -Tf. Your longtime key is now overwritten with a short-time key! The same thing will happen implicitly, every time you for instance unlock your screensaver. Well, not if you follow the "trick" above :-)

Note: I do not know why the afslog command is needed. If you know, please update this page! The afslog command should be issued FROM INSIDE THE SCREEN and not from the shell you spawned the screen.

Possible useful patches can be found here: http://www.dolda2000.com/~fredrik/patches/

Automatization

Create a script called screen-krbafs with the contents:

#!/usr/bin/env pagsh
kinit -f --renewable -l 30d
if [ $? -eq 0 ]; then
        TEMPFILE=`mktemp`
        cp ${KRB5CCNAME/FILE:/} $TEMPFILE
        aklog
        cd
        KRB5CCNAME=$TEMPFILE screen -U
fi

make it executable with chmod +x screen-krbafs and you only need to run that and everything should be setup as described in the previous section.

You might also want to have a .screenrc inside your home directory with the contents:

screen -t kerberos 9 sh -c 'while true; do clear; klist -Tf; sleep 3600; done'
screen -t shell 0

to easily monitor the Kerberos tickets and afs tokens from within screen. You can change between screens inside screen with Ctrl-A followed by ". In the kerberos screen you can monitor your tickets and tokens. Switch back to your screen named shell using the same keyboard combination.

Personal tools