krenew for Kerberos Ticket and AFS Token Renewal

Posted on July 20, 2016

Keeping tickets and tokens around with krenew

Linux machines that have krenew installed can keep kerberos tickets and afs tokens valid in an automated fashion. Limitations on the renewal period are dependent on the way accounts are configured in the KDC. Typically new tickets can be renewed for a week.

BASH Example:

krenew -t -- ~/bin/testkrenew.bash > ~/tmp/testkrenew.out 2> ~/tmp/testkrenew.err

More about what is going on

man krenew

SCS has a good source of AFS help.

Logging onto an ECE Linux host, either on the console or remotely via ssh, requires entering username and password (ie: no tickets are obtained when using publickey authentication). This process obtains a kerberos ticket and AFS token for the session. To see the current state of these run:

klist -f tokens

klist lists kerberos tickets and the -f flag causes the ticket flags to be listed as well. The tickets obtained on initial logon should have the I (initial), F (forwardable) and R (renewable) flags set. On ECE hosts the lifespan should be 25 hours from the time they were obtained and they can be renewed for 7 days. The ticket cache location is also listed. These are the parameters krenew will use though krenew will run the commands in a new PAG with new tickets in a new ticket cache.

username@ecexxx:~; date
Fri Aug 31 10:02:00 EDT 2012
username@ecexxx:~> klist -f
Ticket cache: FILE:/var/tmp/krb5cc_username_nNSLfy
Default principal: username@ECE.CMU.EDU

Valid starting     Expires            Service principal
08/31/12 10:01:54  09/01/12 11:01:54  krbtgt/ECE.CMU.EDU@ECE.CMU.EDU
	renew until 09/01/12 12:41:54, Flags: FRI
username@ecexxx:~> tokens

Tokens held by the Cache Manager:

Tokens for afs@ece.cmu.edu [Expires Sep  1 11:01]
   --End of list--

If a kerberos ticket has not expired yet it can be renewed. Once the kerberos ticket is renewed the AFS tokens need to be renewed as well. krenew automates this ticket renewal only for the commands run under it’s control. Renewal can also be done manually:

kinit -r 7d -l 25h -f -R
aklog

Even though a renewal period of 7 days was requested, the renew expiration date will not have changed. Similarly when there are no longer 25 hours to go until the renewal duration expires, the lifespan of the ticket will correspond to the renewal expiration rather than the full 25 hours requested. If tickets/tokens expire, or if tickets with a full 7 day renewal period are desired, new tickets will need to be obtained. When requesting new tickets typing in the password is required.

kinit -r 7d -l 25h -f
aklog
This entry was posted in Linux, Uncategorized. Bookmark the permalink.