Jason Edgecombe <[EMAIL PROTECTED]> writes: > Does anyone have a script that reauthenticates a users process for a > long running job? I'm looking for something that you can run before a > job or during the job that asks for the user's password and > reauthenticates to kerberos 5 and renews the tokens. The users wants to > run jobs for 15 days and I don't want to extend the kerberos ticket > lifetime for that long.
We have such a program, but only for Kerberos v4, which probably isn't very useful. However, I would strongly encourage you to *not* do this, since having the user's password sitting around in a running process isn't a great security practice. Instead, rather than increasing the maximum ticket lifetime, increase the *renewable* ticket lifetime to 15 days. That's what renewable tickets are for. Then, have the user run their job via a program such as krenew from: <http://www.eyrie.org/~eagle/software/kstart/> to automatically renew their tickets periodically. The advantage of using renewable tickets over extended lifetime tickets is that if you invalidate the user's Kerberos entry for any reason (such as evidence of a compromise or, I *believe*, a key change), the ticket will only be valid for the regular lifetime of your tickets and the renewal will be rejected by the KDC. And that way the user's password isn't sitting around anywhere. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info