runauth

Warning

This package is obsolete. It only supports Kerberos v4 and uses other obsolete programs to get tickets. Equivalent functionality for Kerberos v5 has been added to kstart directly, and it will receive no further releases. k5start or krenew should be used instead of this program.

Description

This is a simple shell wrapper (for portability and simplicity) around a variety of Kerberos programs, designed to simplify the process of running a command with Kerberos and possibly AFS credentials, isolated from the authentication of other commands running on the same system. It obtains a Kerberos ticket from a srvtab, optionally obtains an AFS token in a new PAG, and then runs a command, possibly as some other user. It then cleans up the credentials afterwards.

It can use either kstart or ksrvtgt (from your favorite Kerberos v4 distribution) to obtain Kerberos v4 tickets. We used it only for AFS with Kerberos v4, but it should be possible to make it work with Kerberos v5 and a keytab as well using k5start. ksrvtgt can only obtain five minute tickets, but with kstart the tickets can be as long-lived as necessary (for longer than the maximum ticket lifetime, kstart can be run in daemon mode to periodically refresh the ticket).

Equivalent functionality has now been added to kstart directly, which also has the advantage of managing credentials for the lifetime of the process more easily, requiring fewer software dependencies, and being somewhat easier to use. runauth may still be useful for Kerberos v4 sites if you don't have the libraries on-hand to build kstart with AFS PAG support, but it is frozen in favor of improving kstart and should be considered obsolete.

Requirements

The script will have to be customized for your local environment, at the least changing the paths to various programs at the top of the script and changing the location of the shell on the first line. runauth uses pagsh.krb, which comes with AFS, to run in a new PAG and with a different Kerberos v4 ticket file from anything else running on the same system.

Obviously, you need some sort of Kerberos installation (if you don't have one, there would be no point to this script). For tickets that live longer than five minutes, you need kstart (and a version before 4.0, which removed Kerberos v4 support). For AFS token support, you need AFS and some program to obtain AFS tokens from a ticket (such as aklog or afslog from KTH Kerberos). runauth is capable of running the program as a different user; for that, you will need to have setuidgid from daemontools installed.

For very long-lived tickets, runauth will run kstart in daemon mode. To kill the running kstart properly when the command exits, runauth needs a ps command that supports the -o option. System V and current Linux ps implementations should be fine.

Download

The program:

runauth 1.15 2009-05-18 Download

Documentation

License

Copyright 1998, 1999, 2000, 2001, 2002, 2003, 2005 The Board of Trustees of the Leland Stanford Junior University.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Last modified and spun 2014-08-10