% kstart-slides.tex -- Slides for AFS talk on daemons, PAGs, and authn. % $Id: kstart-slides.tex 75 2006-06-06 17:27:17Z eagle $ % % Written by Russ Allbery \documentclass[landscape,semhelv]{seminar} \usepackage{url} \usepackage{hyperref} \newpagestyle{mypagestyle}% {Stanford University \hfil \thedate \hfil \thepage}% {\hfil Russ Allbery (rra@stanford.edu) \hfil} \pagestyle{mypagestyle} \begin{document} \begin{slide} \begin{center} {\large Daemons, PAGs, and Automated Authentication} \vspace{1in} Russ Allbery \\ June 13, 2005 \end{center} \end{slide} \begin{slide} \section*{Contents} \begin{itemize} \item Overview of tokens and PAGs \item Srvtabs and keytabs \item Issues with authenticated daemons \item Why kstart? \item PAG or not to PAG \item Single commands \end{itemize} \end{slide} \begin{slide} \section*{Tokens and PAGs} \begin{itemize} \item External program to get token \item A token is credentials shoved into the kernel \item Association is by PAG or by UID \item Without PAGs, all processes with the same UID share a token, token is not inherited across setuid \item Users put into PAGs by the login process \item Daemons started at boot (or from cron or atd) outside of PAGs \end{itemize} \end{slide} \begin{slide} \section*{Srvtabs and keytabs} \begin{itemize} \item Passwords stored on disk \item srvtab is K4, keytab is K5 \item Keytabs are massively better, more structured \item \texttt{kinit} can obtain credentials from keytab \item Need distribution mechanism (talk for next year!) \end{itemize} \end{slide} \begin{slide} \section*{Authenticated Daemons} \begin{itemize} \item Need to obtain Kerberos credentials automatically \item Need to refresh credentials automatically \item Need to refresh tokens automatically \item Must not interfere with each other \item Must not be interfered with by users (including root) \item Application can't do any of the work \end{itemize} \end{slide} \begin{slide} \section*{Why kstart?} \begin{itemize} \item K4 \texttt{kinit} completely deficient \item K5 \texttt{kinit} much better, but \texttt{kstart} had evolved \item Runs as daemon to maintain credentials \item Forks token-getting program as needed \item Checks ticket expiration (\texttt{-H}) \item Can run command with credentials, PAG \item \texttt{k4start} and \texttt{k5start} \item Similarities to Heimdal \texttt{kcm} \end{itemize} \end{slide} \begin{slide} \section*{kstart Example (daemon)} \begin{verbatim} exec /usr/bin/setuidgid www-data /usr/bin/k5start \ -t -l 10h -K 30 -f /etc/srvtab.www \ -k /var/run/web/www.k4.tgt service.www \end{verbatim} \end{slide} \begin{slide} \section*{PAG or not to PAG} \begin{itemize} \item In a PAG is safest, keeps everything isolated \item Keeps too much isolated -- \texttt{kstart} or equivalent needs to be in the same PAG \item Harder to monitor/restart \texttt{kstart} \item Not in a PAG requires special care to start \item \texttt{at now} is very useful \item \texttt{kstart} can be run from init \item We use djb's daemontools, requires buying into the mindset, best if run everywhere uniformly \end{itemize} \end{slide} \begin{slide} \section*{Single Commands} \begin{itemize} \item Different but related set of issues from daemons \item Always use a PAG -- not colliding is even more important \item Lifetime tied to life of process, not forever -- hard to predict in advance \item \texttt{kstart} tries to do all the right things \item Replacement for older \texttt{runauth} script \item Should be very simple \end{itemize} \end{slide} \begin{slide} \section*{kstart Example (command)} \begin{verbatim} /usr/bin/k5start -qtU -f /etc/keytab.subversion -- \ /usr/bin/rsync -rlt --delete /srv/svn/backups/ \ /afs/ir/service/pubsw/data/subversion/ \end{verbatim} \end{slide} \begin{slide} \section*{Bonus Slide: Multiple Realms} \begin{itemize} \item Problem: K5 ticket cache and multiple realms \item Solution: Realm switching aliases \item Ticket cache per realm \item Changing realms changes prompt \item Role of \texttt{k5start -H} -- only reauth when needed \end{itemize} \end{slide} \end{document}