kstart

Description

k5start is a modified version of kinit that can use keytabs to authenticate, can run as a daemon and wake up periodically to refresh a ticket, and can run single commands with their own authentication credentials and refresh those credentials until the command exits. We it here at Stanford to maintain Kerberos tickets for services that need to authenticate to Kerberos so that the services don't have to include all that logic themselves.

k5start can optionally run a program after each time that the ticket has been refreshed. We use this to run aklog or afslog to maintain an AFS token for services that need to authenticate to AFS. Both programs can also run a specific command with authentication, renewing the credentials until the command completes. There is also support for AFS PAGs, putting the command in its own PAG so that its credentials don't interfere with any other processes on the system.

krenew is identical to k5start except that, rather than initializing a ticket cache from a password or keytab, it renews an existing renewable ticket cache. It can be used to periodically renew tickets and optionally AFS tokens for long-running processes in cases where using a keytab is inappropriate (such as users running their own jobs with their own credentials).

R.L. "Bob" Morgan originally wrote k4start (as kstart), and Booker Bense added many features and wrote k5start based on it. I reworked the code a fair bit, added the AFS PAG support and the ability to run a specific command based on runauth, and added krenew. I currently maintain the package for Stanford.

Requirements

k5start and krenew are written in C and require a C compiler to build. Both also require Kerberos libraries. They have primarily been tested with the MIT Kerberos libraries, but will also work with Heimdal.

If you want the -t option to work, you need a program to obtain AFS tokens from Kerberos tickets, such as aklog from OpenAFS or afslog from Heimdal.

For AFS PAG support, one of Linux, Mac OS X, Solaris 11, the kafs library that comes with either Heimdal or KTH Kerberos, the kopenafs library that comes with newer OpenAFS, AFS header files (on any other platform besides AIX or IRIX), or AFS libraries (on AIX and IRIX) is required. AIX binaries with AFS PAG support may not run on AIX systems that do not have an AFS client installed due to how AIX handles system calls.

To run the test suite, you must have the Perl 5.006 or later and the modules Test::More and Test::Pod installed. Test::More comes with Perl 5.8 or later and Test::Pod is available from CPAN. You will also need the kinit and klist commands from MIT Kerberos, not Heimdal. To check spelling in the documentation, you will additionallly need Pod::Spell (available from CPAN) and either aspell or ispell.

To bootstrap from a Git checkout, or if you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.11 or later. For bootstrap or if you change configure.ac or any of the m4 files it includes and need to regenerate configure or config.h.in, you will need Autoconf 2.64 or later. Perl is also required to generate the manual pages from a fresh Git checkout.

Download

The distribution:

kstart 4.1 2012-01-08 Download PGP signature

An archive of older releases is also available.

A Debian package (named kstart) is available from Debian as of Debian 4.0 (etch). It includes k5start, and krenew built with /usr/bin/aklog as the aklog path and setpag support.

kstart is maintained using the Git version control system. To check out the current development tree, clone:

    git://git.eyrie.org/kerberos/kstart.git

You can also browse the current development source.

Documentation

User documentation:

Developer documentation:

License

The kstart package as a whole is released under the following license:

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the kstart source distribution.

Last modified and spun 2014-08-10