This is a discussion on kstart 3.11 released - Kerberos ; I'm pleased to announce release 3.11 of kstart, exactly one year after the previous release. Lots of code has changed in this release, so please let me know if there are any problems. k4start, k5start, and krenew are modified versions ...
I'm pleased to announce release 3.11 of kstart, exactly one year after the
previous release. Lots of code has changed in this release, so please let
me know if there are any problems.
k4start, k5start, and krenew are modified versions of kinit which add
support for running as a daemon to maintain a ticket cache, running a
command with credentials from a keytab and maintaining a ticket cache
until that command completes, obtaining AFS tokens (via an external aklog)
after obtaining tickets, and creating an AFS PAG for a command. They are
primarily useful in conjunction with long-running jobs; for moving ticket
handling code out of servers, cron jobs, or daemons; and to obtain tickets
and AFS tokens with a single command.
Changes from previous release:
Add a -c option to k4start, k5start, and krenew, which writes out the
PID of the child process when running a command. This is similar to
-p, but writes out the command PID rather than the PID of k4start,
k5start, or krenew. Based on a patch by Sascha Tandel.
Add a -H option to krenew that works similarly to the -H option for
k5start: checking whether the remaining lifetime of the ticket is
already long enough, only renewing if it isn't, and exiting with a
status indicating whether the resulting ticket had a sufficiently long
lifetime. Based on a patch by Gautam Iyer.
Add -o, -g, and -m options to k4start and k5start to set the owner,
group, and mode of the ticket cache after creation. These options
cannot be used with a specified command or with -K since, after making
those changes, the Kerberos library won't permit reading or writing to
the ticket cache. Based on a patch by Howard Wilkinson.
Significantly update the AFS setpag support. The option to build with
AFS setpag support is now --enable-setpag. On most platforms, if
libkafs is not found, kstart uses an internal AFS system call
implementation that doesn't require linking with the AFS libraries.
The AFS libraries are used only on AIX and IRIX. On platforms other
than Linux, pass --with-afs to configure to specify the location of
the AFS include files and libraries.
Redo the build machinery for Kerberos v4 and Kerberos v5 libraries to
take advantage of portability improvements from other projects.
kstart will now hopefully build with AIX's Kerberos libraries and get
more of the edge cases right. Instead of --with-kerberos, use
--with-krb5 to specify the path to the Kerberos v5 libraries and
--with-krb4 to specify the path to the Kerberos v4 libraries.
After backgrounding, reauthenticate if necessary before writing out
the PID file in case we need tickets or tokens to write the file.
Close the keytab after determining the principal with k5start -U.
--enable-static is no longer supported. This is generally unnecessary
and complex to support in combination with other options.
kstart now has a basic test suite, although not all functionality is
tested yet. See README and tests/data/README for information on how
to enable the tests that are there.
You can download it from:
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
Russ Allbery (firstname.lastname@example.org)