| < krb5-strength | Russ Allbery > Software | pam-krb5 > |
k5start and krenew are modified versions of kinit which add support for running as a daemon to maintain a ticket cache, running a command with credentials from a keytab and maintaining a ticket cache until that command completes, obtaining AFS tokens (via an external aklog) after obtaining tickets, and creating an AFS PAG for a command. They are primarily useful in conjunction with long-running jobs; for moving ticket handling code out of servers, cron jobs, or daemons; and to obtain tickets and AFS tokens with a single command.
k5start is a modified version of kinit. It can be used as a substitute for kinit (with some additional helpful options), but it can also obtain credentials automatically from a keytab. It can run as a daemon, waking up periodically to refresh credentials using that keytab, and can also check for the validity of tickets and only refresh if they're no longer valid.
Some of these capabilities have been included in Kerberos's kinit, but the ability to maintain tickets while running as a daemon has not and is useful for servers that need to use Kerberos. Using kstart allows the ticket handling to be moved out of the server into a separate process dedicated just to that purpose.
k5start can optionally run an external program whenever the ticket is refreshed to obtain an AFS token, and therefore can be used in conjunction with a program like aklog or afslog to maintain an AFS token. When built with support for AFS PAGs, it can also put the program in its own PAG so that its authentication doesn't affect any other programs.
krenew is identical to k5start except that rather than obtaining new tickets from a password or keytab, it renews an existing renewable ticket cache. It can be used to periodically renew tickets and optionally AFS tokens for long-running processes in cases where using a keytab is inappropriate (such as users running their own jobs with their own credentials).
As Kerberos programs, k5start and krenew require Kerberos libraries to link against. They have only been thoroughly tested with the MIT Kerberos and Heimdal libraries on Debian, but should work with the included Kerberos libraries on many other platforms.
Other than that, all you should need is a suitable C compiler. Neither program has been tested on non-Unix systems.
If you want the -t option to work, you need a program to obtain AFS
tokens from Kerberos tickets. You can specify the program to use on your
system with the --with-aklog option to configure; if that option is
not given, the first of aklog or afslog that is found on your path at
configure time will be used.
For AFS PAG support, one of Linux, Mac OS X, Solaris 11, the kafs library that comes with either Heimdal or KTH Kerberos, the kopenafs library that comes with newer OpenAFS, AFS header files (on any other platform besides AIX or IRIX), or AFS libraries (on AIX and IRIX) is required. AIX binaries with AFS PAG support may not run on AIX systems that do not have an AFS client installed due to how AIX handles system calls.
To bootstrap from a Git checkout, or if you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.11 or later. For bootstrap or if you change configure.ac or any of the m4 files it includes and need to regenerate configure or config.h.in, you will need Autoconf 2.64 or later. Perl is also required to generate manual pages from a fresh Git checkout.
The distribution:
| kstart 4.3 | 2021-08-31 | tar.gz (PGP signature) | tar.xz (PGP signature) |
An archive of older releases is also available.
A Debian package (named kstart) is available from Debian as of Debian 4.0
(etch). It includes k5start, and krenew built with setpag support and
/usr/bin/aklog as the aklog path. See the
Debian package tracker for
more information.
kstart is maintained using the Git version control system. To check out the current development tree, see GitHub or clone:
https://git.eyrie.org/git/kerberos/kstart.git
Pull requests on GitHub are welcome. You can also browse the current development source.
User documentation:
Developer documentation:
The kstart package as a whole is covered by the following copyright and license:
Copyright 2015, 2021 Russ Allbery <eagle@eyrie.org>
Copyright 1995-1997, 1999-2002, 2004-2012, 2014 The Board of Trustees of the Leland Stanford Junior University
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the kstart source distribution.
| < krb5-strength | Russ Allbery > Software | pam-krb5 > |