Getting tokens for arla jobs and processes

Dr A V Le Blanc LeBlanc at mcc.ac.uk
Fri Apr 28 15:03:41 CEST 2000


I don't know if this is what Scott Stonefield was looking for,
but some of you may find it useful.  I've ported some programs
I wrote for AFS on other systems to work with arla and
KTH kerberos 4.  The programs are:

     update_token [ user ]

update_token presumes the user (which defaults to 'adm.admin')
has an AFS key in a file in a secure directory (we use
/local/pinafore/sec, and have it owned by root and 0700);
the file must be named 'user.key'; for example, 'adm.admin.key'.
update_token reads this key and gets an AFS token, which it
saves in the same directory as 'user.token'; for example,
'adm.admin.token'.

     afscron [-v] [-p] [-s] [-u user] [-c command]

afscron is a program for running cron jobs on an AFS system.
It presumes the user in question has an AFS token in a file
created by update_token.  The options are:

     -v           verbose; useful for debugging; default is quiet
     -p           do not get a new PAG; default is to get a PAG
     -s           set uid and gid to the user's uid and gid, as
                  determined by getpwent(); default runs as root
     -u user      run the job as this user; default is adm.admin
     -c command   execute this command; default is /bin/bash

And finally,

     wwwrenew [ -v ]

wwwrenew is a program designed to renew the AFS token for a web
server.  It assumes the token is available in a file as above.
The user name www is hard-coded in this.

Note that these programs must be used very carefully, or you may
compromise the security of your system.  update_token should
normally be run as root in a cron job; we do this every 8 hours.
afscron should normally only be run as root by cron; if a user
wants a cron job that reads or writes his AFS filestore, I run
(as root)

     afscron -s -u fred -c ~fred/bin/cron.script

and it will do whatever he puts in the script, using his own
token and ID.  Stuff that has to be run as a system administrator
runs as

     afscron -c admin.script

For wwwrenew, we have a web server running authenticated (and
started at boot time by

     afscron -u www -c '~www/apachectl start'

This token expires in 30 days.  Once a day I run a cron job
which uses lynx to run a cgi-bin script that calls wwwrenew.

I hope someone finds these things useful.  They are released under
GPL, and they contain bits of code hacked out of ssh, arla's klog,
and a few other sources.  Currently at ftp.mcc.ac.uk:/pub/misc/arla
in the file tokens.tgz.

     -- Owen
     LeBlanc at mcc.ac.uk





More information about the Arla-drinkers mailing list