Coda File System

Re: How to renew coda tickets and tockens automatically?

From: Jan Harkes <jaharkes_at_cs.cmu.edu>
Date: Mon, 11 Jul 2016 14:39:36 -0400
On Mon, Jul 11, 2016 at 11:13:55AM +0200, Karl-Philipp Richter wrote:
> OpenAFS has the ability to renew kerberos tickets and get AFS tokens
> automatically with the `krenew` command. Is there an equivalent in coda?

AFS tokens are actually modified kerberos tickets and they use a
kerberos mechanism to delagate ticket signing through a TGT (ticket
granting ticket?) or a host token to make a fresh set of AFS tokens
without contacting the kerberos server.

Coda tokens are not related to Kerberos tickets and there is no chain of
intermediate signing tickets, only trusted servers (auth2 daemons) are
able to sign a fresh Coda token.

> I didn't find anything on
> [google](https://www.google.de/?gws_rd=ssl#q=coda+renew+token) and in
> the `clog` manpage.

It probably was mentioned in the mailinglist at some point, but on our
webserver I have a cron job to safely renew a Coda token for the apache
server.

The crontab entry is as follows,

    55 */3 * * *    root    /root/bin/gettokens.sh

The gettokens.sh script contains,

    #!/bin/sh

    /usr/bin/clog -as www-data websrv_at_coda.cs.cmu.edu < /etc/coda/auth/www-data

And the actual password is stored in '/etc/coda/auth/www-data' where the
/etc/coda/auth directory is only readable by root. This prevents the
'www-data' user from reading the password but he still gets a token that
is refreshed every 3 hours. When the server is rebooted, the same
gettokens.sh script is run from rc.local.

Jan
Received on 2016-07-11 14:39:46