| < krb5-sync | Russ Allbery > Software | pam-krb5 > |
k4start (for Kerberos v4) and k5start (for Kerberos v5) are modified versions of kinit that can use srvtabs or keytabs to authenticate, can run as daemons and wake up periodically to refresh a ticket, and can run single commands with their own authentication credentials and refresh those credentials until the command exits. We use them here at Stanford to maintain Kerberos tickets for services that need to authenticate to Kerberos so that the services don't have to include all that logic themselves. k4start is also useful as a much more powerful Kerberos v4 kinit (Kerberos v5 kinit added most of the features missing from the Kerberos v4 version).
Both programs can optionally run a program after each time that the ticket has been refreshed. We use this to run aklog or afslog to maintain an AFS token for services that need to authenticate to AFS. Both programs can also run a specific command with authentication, renewing the credentials until the command completes. There is also preliminary support for AFS PAGs, putting the command in its own PAG so that its credentials don't interfere with any other processes on the system.
krenew is identical to k5start except that, rather than initializing a ticket cache from a password or keytab, it renews an existing renewable ticket cache. It can be used to periodically renew tickets and optionally AFS tokens for long-running processes in cases where using a keytab is inappropriate (such as users running their own jobs with their own credentials).
R.L. "Bob" Morgan originally wrote k4start (as kstart), and Booker Bense added many features and wrote k5start based on it. I reworked the code a fair bit, added the AFS PAG support and the ability to run a specific command based on runauth, and added krenew. I currently maintain the package for Stanford.
k4start is generally frozen and is no longer actively tested in new releases. I will fix bugs in k4start where possible, but I no longer have a Kerberos v4 realm with which to test. New features added to k5start and krenew will not be added to k4start.
k4start, k5start, and krenew are written in C and require a C compiler to build. k4start also requires Kerberos v4 libraries and k5start requires Kerberos v5 libraries. They have primarily been tested with the MIT Kerberos libraries, but will also work with the Heimdal and KTH Kerberos libraries. k5start and krenew, by themselves, requires only Kerberos v5 libraries (MIT or Heimdal).
If you want the -t option to work, you need a program to obtain AFS tokens from Kerberos tickets, such as afslog from Heimdal, aklog from arla or any number of other places, or kafslog from KTH Kerberos v4.
AFS PAG support on platforms other than Linux requires the kafs library that comes with either Heimdal or KTH Kerberos, AFS header files (on any other platform besides AIX or IRIX), or AFS libraries (on AIX and IRIX). AIX binaries with AFS PAG support may not run on AIX systems that do not have an AFS client installed due to how AIX handles system calls. On Linux, kstart uses its own internal implementation of the AFS system call interface and doesn't require any external libraries.
To run the test suite, you must have the Perl 5.006 or later and the modules Test::More and Test::Pod installed. Test::More comes with Perl 5.8 or later and Test::Pod is available from CPAN. To check spelling in the documentation, you will additionallly need Pod::Spell (available from CPAN) and ispell installed.
If you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.10 or later. If you change configure.ac or any of the m4 files it includes and need to regenerate configure or config.h.in, you will need Autoconf 2.61 or later.
The distribution:
| kstart 3.14 | 2008-07-23 | Download | PGP signature |
An archive of older releases is also available.
Documentation:
A Debian package (named kstart) is available from
Debian as of Debian 4.0 (etch). It includes k4start, k5start, and krenew
built with /usr/bin/aklog as the aklog path and setpag support.
kstart is maintained using the Git version control system. To check out the current development tree, clone:
git://git.eyrie.org/kerberos/kstart.git
You can also browse the current development source.
The primary license is:
Copyright 1995, 1996, 1997, 1999, 2000, 2001, 2002, 2004, 2005, 2006, 2007, 2008 Board of Trustees, Leland Stanford Jr. University. All rights reserved.
Based on code copyright 1987, 1988 by the Massachusetts Institute of Technology.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the kstart source distribution.
| < krb5-sync | Russ Allbery > Software | pam-krb5 > |