On Ubuntu (Linux) with AFS files, I need to obtain a Kerberos ticket with "kinit" before I can do "aklog" to access the AFS files. I can't access a "keytab" file stored in AFS to do "kinit" before doing "aklog". It appears to be a Catch-22. Any suggestions? I'm currently do something like: echo "password" | kinit user@realm ; which doesn't work on Mac OSX, but does in Linux. I'm running unattended "cron" jobs that don't have AFS access until they establish access with "kinit" and "aklog".
How can I use keytab in afs to authenticate kerberos?
3.3k Views Asked by Dick Guertin At
1
There are 1 best solutions below
Related Questions in LINUX
- Is there some way to use printf to print a horizontal list of decrementing hex digits in NASM assembly on Linux
- Why does Hugo generate different taxonomy-related HTML on different OS's?
- Writes in io_uring do not advance the file offset
- Why `set -o pipefail` gives different output even though the pipe is not failing
- what really controls the permissions: UID or eUID?
- Compiling eBPF program in Docker fails due to missing '__u64' type
- Docker container unable to make HTTPS requests to external API
- Whow to use callback_query_handler in Python 3.10
- Create kea runtime directory at startup in Yocto image
- Problem on CPU scheduling algorithms in OS
- How to copy files into the singularity sandbox?
- Android kernel error: undefined reference to `get_hw_version_platform'
- Is there a need for BPF Linux namespace?
- Error when trying to execute a binary compiled in a Kali Linux machine on an Ubuntu system
- Issue with launching application after updating ElectronJs to version 28.0.0 on Windows and Linux
Related Questions in AUTHENTICATION
- Authenticate Flask rest API
- Sends a personalised error message from the back-end to the front-end with Nuxt-auth
- How to connect Spotify PKCE Authorization Boilerplate to Login-Button in React
- Laravel SPA auth with Sanctum
- _supabaseClient__WEBPACK_IMPORTED_MODULE_1__.supabase.auth.signIn is not a function
- My openID Authentication return 'You must have either https wrappers or curl enabled.'
- How to detect the Minimization of Custom Chrome Tabs on Android?
- Wordpress redirect to homepage after successfully logged in
- How to modify the prebuilt UI of authentication in aws amplify version 6 in React Native
- Creating a login system for my website, navlist not working?
- Receiving 400 bad request on post when customer auth handler is used
- Creating Azure B2B login system with Vue.js frontend & Python Django backend
- Gradio chatbot: how to export individual conversation histories?
- Set-Cookie header not forwarded by nginx to the client
- git asking for authentication when auth.json is present while running composer update
Related Questions in PASSWORDS
- Forgotten RAR password recovery
- I'm unable to access 'https://github.com/Danniecodjoe/alx-system_engineering-devops.git/':
- How to get new text input after entering a password in a tab?
- invalid application password of gmail
- Auto-complete doesn't work on Chrome or Edge
- Decrypting Magento 2 customer passwords using email for migration to Shopify
- In two subversion repositories (same machine), can I have different usernames with no password prompting?
- Store website username/password on Elinks for Ubuntu
- Sending Password to a PHP Script
- "error": "The public key is required. Visit https://dashboard.emailjs.com/admin/account"
- im stuck trying to guess a password to a server im accessing through netcat for a ctf
- Hashcat / John the Ripper - find password when you know most of password but don't remember the sequence
- Hashing the password if it is not hashed in django
- How do I change I change my redis docker containers password?
- How to detect password protected file in Angular 14+ without using Promise calls
Related Questions in KERBEROS
- Jndi connect to LDAP by GssApi KrbException: Server not found in Kerberos database (7)
- Kerberos Authentication for an API
- SASL GSSAPI: ldap_sasl_interactive_bind : Other error (80) no credentials supplied
- SQL Server Kerberos authentication
- How do I obtain a user's domain in nginx during authentication through AD with Kerberos?
- Kerberos ticket validity
- Unable to create Kafka Consumer using Kerberos Authentication System
- Does DataGrip Support Postgres Authentication with Kerberos?
- Setting up SOLR authentication kerebos plugin
- Authenticating and transferring files to the shared drive using Kerberos auth via SMB in Python
- Resolving Kerberos vs NTLM Authentication Issue in Cross-Domain SQL Server Connection
- Git clone failed with Krb5LoginModule error - JNA Library
- SPNEGO/GSS-API Golang packages for Kerberos authentication on MacOS
- VBA MSXML2.ServerXMLHTTP60 Web Request with Kerberos Authentication
- Deserializing a Kerberos Token
Related Questions in OPENAFS
- How to compare data between Postgres db and orc files?
- It possible to run command with web access to files?
- Is it possible to run an infinite loop python code onto a server?
- Run shell command from within redis server process
- Compiling a string using python(not running) on linux command line
- SQL Table commands to show certain data?
- Mount OpenAFS host volume in GitLab-CI runner to make it accesible in Docker
- permission denied while using tmux, screen or nohup
- No write access to $HOME in tmux after logout and login
- Passwordless login for AFS
- Unable to change http writing permission on AFS'linux terminal?
- How to deploy angularjs project in production without using npm start
- `npm uninstall` hangs (or very slow) without apparent activity
- Apple Yosemite error installing openAFS from source
- OpenAFS install, packagemaker not found
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Usually, you don't put a keytab in /afs if you're planning on using that keytab to authenticate to AFS. That's like storing the key to a safe inside the safe itself; like you said, it's a catch-22. You also should not be running
echo "password" | kinit; you're just replacing storing the keytab with storing a password somewhere, and keytabs are intended to be a superior replacement forechoing passwords around. If youecho "password" | kinitat any point in the script, another user may be able to view that password by looking in the process list, so that's not very secure.Normally the way you provide authenticated AFS access to a cron job is to put the keytab on local disk, and have the script access that. You can then set the traditional Unix permissions on the keytab so that only you can access it. Not being able to access the local disk makes this a bit more difficult, but it is possible. I can think of a few approaches:
Have Cron Obtain Credentials For You
Some environments have the ability to obtain credentials for a special 'cron'-y user when running a cron job for a user. That is, you sign up for your cron jobs to run under the user 'cron.dguertin' instead of just 'dguertin'. The cron system itself then has access to a keytab to authenticate as 'cron.dguertin', and you can set AFS ACLs to allow cron.dguertin to access whatever files you want. I don't have insight into how these systems work, but I have heard of this at Stanford CS and Stanford IT and other places.
Of course, the system must be set up to do this. If you don't have any control over the infrastructure, this is not helpful to you.
Embedding Credentials in Cron
Assuming nobody else can read the contents of your crontab (which is true of traditional cron, so I assume it is true in whatever cron setup you're using), you can indeed just embed the credentials in the crontab file itself. However, as mentioned above, just
echoing a password is usually not a good idea, since someone can look at the process list and see the password.Some implementations of cron let you set environment variables before specifying the commands to run. For example:
Your script could then read in the value of the GUERTIN_PASSWORD environment variable, and pipe the password to kinit, or use it to decrypt an encrypted keytab/password, etc. Make sure to unset the GUERTIN_PASSWORD environment variable after reading it in, so it does not leak to child processes.
Or, you could actually embed a keytab file directly in the cron entry. That's a bit annoying since keytabs are binary data, but they tend to be pretty short. For example, if your keytab had the following contents:
Then you could create a cron entry like so:
And then your script could decode the base64, write out the contents to a temporary file, and run something like:
(k5start handles running
aklogand setting up an AFS PAG for you). Or, using kinit/aklog:Just make sure to clear the GUERTIN_KEYTAB environment variable before running any commands, as mentioned before.
Note that not all cron implementations let you separately set environment variables like this. Some cron implementations require you to do something like this:
But that is not useful in this situation, since that will cause the contents of the relevant environment variable to be visible via the process list.
Put the keytab in AFS
You actually can put the keytab in AFS, and then restrict access to it via IP address, so only the hosts running on the cluster can access it, without needing to authenticate to AFS first. OpenAFS does have some facilities for restricting access via IP, but they're a bit clumsy. It is also usually not recommended to use these, but in some cases (such as with cron jobs or other batch jobs), you don't have much choice. These are typically called "IP ACLs" or "host ACLs".
To do this, you create a user for the IP address you want:
and then you can simply add that to an AFS ACL like normal:
If you want to restrict access to a range of IPs, the AFS host ACLs have some primitive abilities to wildcard IPs:
That will allow the entire 198.51.100.0/24 range to be able to read that dir. Any '0' segment in the IP address will be treated as a wildcard. (You still need to create the 198.51.100.0 user.) If you want to allow access for several ranges or several individual IPs, just add them to the ACL like you would grant access to several users.
Note that host ACLs can take a couple of hours to become effective after they are first used. This is because the rights for an individual host are only recalculated periodically in the background. This can be really confusing, so if you ever want to use these, just wait a couple of hours if it seems like it's not working.
However, this is not useful if you cannot create the relevant IP users.
Put the keytab Somewhere Else
Or of course you can put the keytab on a webserver, like you mentioned, and have the webserver restrict access to the keytab via IP address. The same approach would also work with putting the contents of the keytab in a database, and restrict access to the database by IP, or any other mechanism that can restrict access via IP.
To do this via a webserver, just put the keytab in some directory in /afs, and restrict the AFS ACLs so that only the webserver can read it (assuming the webserver runs with AFS credentials). Then configure the webserver to only allow certain IPs to fetch that file.
Combinations
You can also, of course, combine any of the above approaches. If you don't trust all accesses from the cluster machine IPs, but you're not completely confident of the "embedding passwords in cron" approach, you could restrict access to the keytab by IP address using one of the mechanisms above, and also encrypt the keytab using a password you embed in the crontab entry with environment variables, described above.
Also, I recognize that many of these solutions are pretty cumbersome and/or roundabout. This is why several sites have their own mechanism for obtaining cron-specific credentials for users, so you don't have to go through all of this. Without having a keytab locally that only your cronjobs can access, all of these other approaches are pretty obviously hack-y.