-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathTODO
80 lines (57 loc) · 3.09 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
kstart To-Do List
k5start:
* Attempt to renew the ticket before prompting the user for a new
password when run with the -H flag with a ticket that will be expiring.
* Provide a flag like -H that checks the status of the ticket but
just exits with a zero or non-zero exit status instead of prompting.
* Add a flag saying to start a command in a PAG and with tokens and then
keep running even if the command exits. This would be useful to spawn
a long-running daemon inside a PAG and then maintain its tokens, even
if k5start and the daemon then become detached and have to be stopped
separately.
* Relax the requirement to use keytabs when running a command and support
prompting for the authentication password before starting the command.
In this case, there's no reason for k5start to keep running once the
command has been started, so it can simply exit after spawning the
command.
* Add a flag to keep reprompting for the password until authentication
succeeds.
* Use krb5_get_init_creds_opt_set_out_ccache to store the ticket cache
instead of writing the credentials ourselves, since this will store MIT
Kerberos configuration information in the cache.
* Support obtaining new credentials in a DIR cache or another cache type
that supports multiple principals without destroying the existing
cache.
* Add a kinstance command to run a command with a particular default
principal instead of the default for the cache collection (assuming
this is even possible).
* Determine the actual ticket lifetime from the Kerberos ticket cache and
use that to set the wakeup time if -K was not provided, rather than
always using a default of one hour.
* Add anonymous authentication support.
* Add a mode of operation that only runs the aklog program and doesn't
attempt to refresh the ticket cache unless it's about to expire. This
would allow multiple k5start daemons to use the same ticket cache
without putting a lot of load on the Kerberos KDC for constant renewals
from each daemon.
krenew:
* Add an option to send SIGHUP to the child process when krenew exits
because the ticket is no longer renewable.
Documentation:
* Document how to start Apache with tickets and AFS tokens, either using
k5start in the init script or the non-PAG method we use at Stanford.
Probably take some information from the Stanford web page documenting
using tokens with servers.
* Document when various flags and features were added.
Test suite:
* Test more of krenew's basic functionality, preferrably by parsing klist
output more thoroughly (or using a Perl module that can parse the
ticket cache directly) and seeing if tickets really were renewed.
* Test that -K and running a command wakes up periodically and renews
tickets for both krenew and k5start.
* Add tests for k5start password prompting, either from standard input or
from a TTY.
* Move tests/libtest.pl into rra-c-util and break it apart into
functionality groups.
* Refactor all test cases to reduce copy-and-paste code and use more
helper functions.