[6354] in Kerberos
Re: Kinit from cron script
daemon@ATHENA.MIT.EDU (Jonathan Kamens)
Wed Dec 13 04:42:13 1995
To: kerberos@MIT.EDU
Date: 13 Dec 1995 09:19:23 GMT
From: jik@annex-1-slip-jik.cam.ov.com (Jonathan Kamens)
First of all: You don't really want to do this. Running kinit from a cron
script and feeding the password into it implies that the password is
hard-coded into the script. That is a Bad Thing.
If you must do this, then extract the key for which you want to get tickets
into a keytab/srvtab file, put that file in a hidden directory somewhere
that's only readable the UID that the script runs under, and then use "kinit
-k" (that's under V5; I believe the equivalent under V4 is ksrvtgt; you should
mention when you post to comp.protocols.kerberos whether you're using V4 or
V5, and what version you're using) to get tickets from the keytab. In
absolute terms, the amount of risk in doing this if you do everything properly
is the same as if you hard-code the password in the script (assuming that the
script is only readable by the UID executing it), but doing it with a keytab
makes compromises much less likely.
Second: If you really must hard-code a password in a script, then get Expect
and use it to talk to kinit. Problems like this are what Expect was designed
for. For more information about Expect, see "Exploring Expect: A Tcl-Based
Toolkit for Automating Interactive Applications", ISBN 1-56592-090-2,
published by O'Reilly (see the next paragraph for more information about the
book), or just get expect from
<URL:ftp://ftp.cme.nist.gov/pub/expect/expect.tar.Z> and read the
documentation files that come with it.
Here's more information about the book (from the README file that comes with
Expect):
If you have access to World Wide Web, here are some related URLs:
one-paragraph description (from O'Reilly catalog):
http://www.ora.com/gnn/bus/ora/item/expect.html
one-page description (from back cover of book):
http://www.ora.com/gnn/bus/ora/item/expect.desc.html
front cover - picture and description:
http://www.ora.com/gnn/bus/ora/item/expect.cover.html
To order:
Via email: order@ora.com
Via the web: http://www.ora.com/gnn/bus/ora/ordering/index.html
Via phone (Weekdays 6am-6pm PST): 800-889-9938 or 707-829-0515
Publisher's address: O'Reilly & Associates, Inc.
103A Morris Street
Sebastopol, CA 95472
