Getting tokens for arla jobs and processes
Dr A V Le Blanc
LeBlanc at mcc.ac.uk
Fri Apr 28 15:03:41 CEST 2000
I don't know if this is what Scott Stonefield was looking for,
but some of you may find it useful. I've ported some programs
I wrote for AFS on other systems to work with arla and
KTH kerberos 4. The programs are:
update_token [ user ]
update_token presumes the user (which defaults to 'adm.admin')
has an AFS key in a file in a secure directory (we use
/local/pinafore/sec, and have it owned by root and 0700);
the file must be named 'user.key'; for example, 'adm.admin.key'.
update_token reads this key and gets an AFS token, which it
saves in the same directory as 'user.token'; for example,
'adm.admin.token'.
afscron [-v] [-p] [-s] [-u user] [-c command]
afscron is a program for running cron jobs on an AFS system.
It presumes the user in question has an AFS token in a file
created by update_token. The options are:
-v verbose; useful for debugging; default is quiet
-p do not get a new PAG; default is to get a PAG
-s set uid and gid to the user's uid and gid, as
determined by getpwent(); default runs as root
-u user run the job as this user; default is adm.admin
-c command execute this command; default is /bin/bash
And finally,
wwwrenew [ -v ]
wwwrenew is a program designed to renew the AFS token for a web
server. It assumes the token is available in a file as above.
The user name www is hard-coded in this.
Note that these programs must be used very carefully, or you may
compromise the security of your system. update_token should
normally be run as root in a cron job; we do this every 8 hours.
afscron should normally only be run as root by cron; if a user
wants a cron job that reads or writes his AFS filestore, I run
(as root)
afscron -s -u fred -c ~fred/bin/cron.script
and it will do whatever he puts in the script, using his own
token and ID. Stuff that has to be run as a system administrator
runs as
afscron -c admin.script
For wwwrenew, we have a web server running authenticated (and
started at boot time by
afscron -u www -c '~www/apachectl start'
This token expires in 30 days. Once a day I run a cron job
which uses lynx to run a cgi-bin script that calls wwwrenew.
I hope someone finds these things useful. They are released under
GPL, and they contain bits of code hacked out of ssh, arla's klog,
and a few other sources. Currently at ftp.mcc.ac.uk:/pub/misc/arla
in the file tokens.tgz.
-- Owen
LeBlanc at mcc.ac.uk
More information about the Arla-drinkers
mailing list