[2856] in Kerberos
Re: ksrvtgt: more problems than it's worth?
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Tue Oct 12 20:26:57 1993
To: mcb@mach.eng.hou.compaq.com (Mike Busby)
Cc: kerberos@MIT.EDU
In-Reply-To: Message <m0omsFu-0002PSC@mach.eng.hou.compaq.com> of "Tue, 12 Oct 93 17:31:45 CDT."
Date: Tue, 12 Oct 93 20:03:06 -0400
From: Ken Raeburn <raeburn@cambridge.cygnus.com>
The ksrvtgt program is supposed to be used for authentication on behalf of
the machine, sort of. More precisely, on behalf of some kind of daemon on
the machine. (The most obvious case is root@machine usually using the
rcmd.machine key, but that's not the only possibility.)
A srvtab key can be used in place of a password, so a daemon can initiate
an authenticated connection, instead of waiting for a user to type in a
password. You could also have a password stored in a file that the daemon
could feed to kinit, but why bother, especially if you already have a
srvtab file for the daemon? All the password is really good for is
generating the key that's already in the srvtab file.
Consider as an example a simple script which gets run as root via cron, to
distribute software to other machines:
#!/bin/sh
# hard for random user to hack here
KRBTKFILE=/etc/tkt-dist
export KRBTKFILE
/usr/kerberos/bin/ksrvtgt rcmd `hostname`
# rcmd.`hostname` is in /.klogin on xyzzy
exec /usr/kerberos/bin/rdist -c -R /usr/cygnus xyzzy:/usr/cygnus
# no, i don't have a kerberos rdist handy right now
Or perhaps a different service is used, and maybe the script isn't run as
root:
#!/bin/sh
echo '<<<' Gathering Zephyr statistics '>>>'
echo Stats on `hostname` ...
gather_zephyr_stats
# zephyr.zephyr service key is not stored in /etc/srvtab!
ksrvtgt zephyr zephyr /usr/spool/zephyr/srvtab
for host in zephyr-2 zephyr-3 ; do
echo Stats on $host ...
# "zephyr.zephyr" is in ~zephyr/.klogin on all machines
rsh $host -l zephyr gather_zephyr_stats
done
exit 0
Since an alternate srvtab file is specified, it doesn't have to be done as
root. But that srvtab file is presumably protected against access by users
other than the uid running the Zephyr services.
Also, in this latter case, where "zephyr.zephyr" is used everywhere instead
of "zephyr.hostname", this script could be run from any host with the
Zephyr srvtab file, without requiring that that host be listed beforehand
in a file on each of the other machines.
