kstart 4.2

kstart is a collection of two utilities for managing Kerberos tickets, particularly focused on the needs of long-running commands or daemons.

This release has taken embarassingly long to release, given that the last release was in January of 2012. Sorry about that, particularly those who were stuck on various bugs! This code base, particularly the test suite, is in dire need of significant refactoring, which reduces my desire to work on it, and then I ran very, very short on free software time.

This release is important because I think I've finally worked through all the various tricky complexity of startup when running a command under k5start.

The core problem: the original k5start exited when authentication failed. However, it's very nice to start daemons that need a Kerberos ticket by running them via k5start. But if this is done during system startup, the network may not be up yet, and one may not be able to contact the KDC. It's very difficult to get the timing right just by adjusting init scripts.

The core fix in this release is that k5start run as a daemon or with a command, and krenew run with the -i option, now keeps retrying the authentication or renewal until it succeeds. It's retried immediately and then with exponential backoff, starting with a delay of a second, until intervals of one minute, and then retried at a delay of one minute until it succeeds. Any command isn't run until the authentication works, so (unlike previous versions) k5start won't start the command without a Kerberos ticket. That should fix various problems people are having.

There are also some new options to tweak the renewal behavior. -H can now be used in combination with -K to specify how long of a minimum ticket lifetime k5start or krenew should try to maintain. Alternately, there's now a -a flag that tells both to attempt an authentication or renewal every time they wake up (at the interval specified with -K). This probably should have been the default for -K originally, but I didn't change the original behavior for backwards compatibility.

There are also a couple of bug fixes: the temporary ticket cache created by k5start is cleaned up properly, and the programs no longer incorrectly reject the combination of -b and -K or a command.

You can get the latest version from the kstart distribution page.

Posted: 2015-12-25 18:32 — Why no comments?

Last spun 2021-09-25 from thread modified 2015-12-26