Booker Bense <[email protected]> writes: > I haven't yet seen a "right way" to do this in kerberos. Ideally you'd > like an alternate key that can only be used from certain machines, to > run certain programs.
This is one of the things that rxgk would give you, using combined tokens. > Renewable and long life tickets can solve the batch problem with enough > support. K5start is suitable for daemons, but cron is very difficult. > The closest to "right" that I've seen is to create an alternate > principal, user/[email protected], stuff the key into a keytab and then > keep tweaking acl's until the cron job can do everything it needs > to. Secure, but inflicts a lot of user pain. Yup, that's what we do here for cron jobs (primarily for web applications, not for compute tasks). We have a cron service that creates a /cron principal for the user and runs jobs with tickets and tokens for that principal. The user can then add ACLs in AFS on appropriate directories. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
