[32613] in Kerberos
Question on k5start daemon-related example in k5start manual
daemon@ATHENA.MIT.EDU (Holger Rauch)
Tue Aug 31 09:07:45 2010
Date: Tue, 31 Aug 2010 15:07:29 +0200
From: Holger Rauch <holger.rauch@empic.de>
To: kerberos@mit.edu
Message-ID: <20100831130729.GA12741@heitec.de>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1864138842=="
Errors-To: kerberos-bounces@mit.edu
--===============1864138842==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="ZGiS0Q5IWpPtfppv"
Content-Disposition: inline
--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi Russ (and all the others as well),
I came accross
http://www.eyrie.org/~eagle/software/kstart/k5start.html
and saw the following excerpt (sample code) for use in (Debian) init scripts
=3D=3D=3D
Starts k5start as a daemon using the Debian start-stop-daemon
management program. This is the sort of line that one could put into a
Debian init script:
start-stop-daemon --start --pidfile /var/run/k5start.pid \
--exec /usr/local/bin/k5start -- -b -p
/var/run/k5start.pid \
-f /etc/krb5.keytab host/example.com
=09
This uses /var/run/k5start.pid as the PID file and obtains
host/example.com tickets from the system keytab file. k5start would
then be stopped with:
start-stop-daemon --stop --pidfile /var/run/k5start.pid
rm -f /var/run/k5start.pid
=09
This code could be added to an init script for Apache, for
example, to start a k5start process alongside Apache to manage its
Kerberos credentials.=20
=3D=3D=3D
My questions:
- When using k5start in this way, should only host principals be used
or should it also work with user principals?
=20
- What maximum ticket lifetime is assumed/recommended for the used
principal(s) so that this particular approach works as expected?
(By "as expected" I mean that Apache runs possibly indefinitely
(provided that the Apache process doesn't dump core :-) ),
i.e. without having to be restarted manually just in order
to obtain a new, "fresh" Kerberos ticket for the corresponding
principal).
=20
Thanks in advance & kind regards,
Holger
=20
--ZGiS0Q5IWpPtfppv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkx8/pEACgkQbiVtWpZdKQJ0aACfebwmihIIPeGqihWlgcTEaY/l
+4wAnA3MD8X7y6jwf5nCzKnKoqC45RPP
=9PDc
-----END PGP SIGNATURE-----
--ZGiS0Q5IWpPtfppv--
--===============1864138842==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1864138842==--
