./security/kstart, Kerberos v5 kinit daemon that uses keytabs

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 4.2nb1, Package name: kstart-4.2nb1, Maintainer: jakllsch

k5start, and krenew are modified versions of kinit which add support
for running as a daemon to maintain a ticket cache, running a
command with credentials from a keytab and maintaining a ticket
cache until that command completes, obtaining AFS tokens (via an
external aklog) after obtaining tickets, and creating an AFS PAG
for a command. They are primarily useful in conjunction with
long-running jobs; for moving ticket handling code out of servers,
cron jobs, or daemons; and to obtain tickets and AFS tokens with
a single command.


Required to run:
[security/heimdal]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 289.698 KB

Version history: (Expand)


CVS history: (Expand)


   2021-10-26 13:18:07 by Nia Alarie | Files touched by this commit (605)
Log message:
security: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo \ 
cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
   2021-10-21 09:46:39 by Thomas Klausner | Files touched by this commit (77)
Log message:
*: recursive bump for heimdal 7.7.0

its buildlink3.mk now includes openssl's buildlink3.mk
   2021-10-07 16:54:50 by Nia Alarie | Files touched by this commit (606)
Log message:
security: Remove SHA1 hashes for distfiles
   2020-05-31 11:36:44 by Roland Illig | Files touched by this commit (1)
Log message:
security/kstart: remove unknown configure option
   2020-05-22 07:27:06 by Mark Davies | Files touched by this commit (2) | Package updated
Log message:
kstart: update to 4.2

k5start, when run with the -K option to run as a daemon, no longer exits if
the initial authentication fails (unless -x was given). Instead, it reports
the error to standard error and then continues to run, attempting authentication
every minute as if authentication had failed after it had started.

For both k5start with a command or -K and no -x flag, and krenew with the -i
flag, repeatedly retry the initial authentication. The first retry will be
immediate, and then the commands will keep trying with exponential backoff to
one minute intervals, and then continuously at one minute intervals until the
command is killed or authentication succeeds. k5start and krenew will no longer
start any other command until the initial authentication succeeds, fixing
startup behavior when running a command that must have valid Kerberos tickets
immediately on start.

Clean up the temporary ticket cache on k5start failure if -o, -g, or -m were
given.

The -H flag to k5start or krenew may now be used in conjunction with -K and
controls whether the ticket is renewed when the command wakes up. Normally,
the ticket will be renewed if it will expire sooner than two minutes after the
next time the command will wake up. If -H is specified, its value replaces the
default value of two minutes.

Add a new -a option to both k5start and krenew that, when used with -K, tells
those programs to refresh tickets every time they wake up. This is useful with
-t to ensure that the AFS token renewal program is always run, even if something
else renews the ticket cache before k5start or krenew wake up. It also provides
more predictable ticket refresh behavior. This probably should have been the
default with -K from the beginning, but the default wasn't changed to keep
backward compatibility. Consider always using -a with -K.

Fix k5start and krenew to not incorrectly reject the -b flag in conjunction
with -K or a command.
   2018-01-01 23:30:04 by Roland Illig | Files touched by this commit (537)
Log message:
Sort PLIST files.

Unsorted entries in PLIST files have generated a pkglint warning for at
least 12 years. Somewhat more recently, pkglint has learned to sort
PLIST files automatically. Since pkglint 5.4.23, the sorting is only
done in obvious, simple cases. These have been applied by running:

  pkglint -Cnone,PLIST -Wnone,plist-sort -r -F
   2017-08-16 22:21:18 by Thomas Klausner | Files touched by this commit (180)
Log message:
Follow some http redirects.
   2015-11-04 02:18:12 by Alistair G. Crooks | Files touched by this commit (434)
Log message:
Add SHA512 digests for distfiles for security category

Problems found locating distfiles:
	Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
	Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
	Package libidea: missing distfile libidea-0.8.2b.tar.gz
	Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
	Package uvscan: missing distfile vlp4510e.tar.Z

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.