Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 3.2. How do I run a cron job with Kerberos authentication?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Business Photos and Profiles ]


Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 3.1. What happens when my tickets expire?
Next Document: 3.3. How do I use renewable tickets?
See reader questions & answers on this topic! - Help others by sharing your knowledge
Nothing can authenticate to Kerberos without providing a password/encryption
key. The same holds true for cron jobs.

In practice, you typically have two choices for providing Kerberos
authentication for any program:

  1. A human types in a password on a keyboard.
  2. A password/encryption key is stored somewhere on a machine

Obviously, both of these also apply to cron jobs. So to provide Kerberos
authentication to cron jobs, you would either have to have a human type in a
password at the appropriate time, or store the password/encryption key
somewhere where the cron job could read it.

What I (and others) have done with success is the following:

  1. Create a special "cron" user (possibly username/cron).
  2. Use kadmin to place a keytab for that user on the workstation where you
     are going to use cron.

     kadmin: ktadd -k user.keytab username/cron

  3. Use the -k flag to kinit to get a TGT for that user using the stored
     keytab.

     kinit -k -t user.keytab username/cron

Note that this applies to any sort of unattended programs that you wish to
run, not just cron. Of course, you have to evaluate whether or not this is
acceptable to you; if the machine where you store this principal is
compromised, then this principal is compromised.

As an additional note, if you are just going to be running programs as root,
I would personally use the host principal, since it will likely already be
in place and is already used by other programs that run as root (telnetd,
ftpd, etc).

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 3.1. What happens when my tickets expire?
Next Document: 3.3. How do I use renewable tickets?

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
Ken Hornstein <kenh@cmf.nrl.navy.mil>





Last Update March 27 2014 @ 02:11 PM