Getting a kerberos ticket

[Mike McGavin]

Hi Donn.  Thanks for the help.

Donn Cave wrote:

 > I gather that the ID (principal) is always the same here, you're not
 > getting it from the web form.
 > [--snip--]

Yes the ID's always going to be the my user account ID, for now at 
least.  The script runs under my uid, not as nobody, and the database in 
postgres is owned by my uid.  I just can't get them to talk to each 
other unless I'm actually logged in interactively to run kinit.

I was hoping that there might be a library or module somewhere that 
could do everything that kinit does without me having to be there to 
type in the password, but instead let me pass it through the script. I 
always feel uneasy about writing down a password, but under the 
circumstances I'm prepared to do it with this account and take certain 
precautions.

The attitude of the local sysadmins is that they're not too concerned as 
long as the script runs as me, which it does, and I recognise that I'm 
responsible for whatever goes on. (The worst it can do on a system level 
is to zap all my data, but it still can't reach anyone else's.)


> Then you need a keytab file with the principal's password, with access
> restricted to your application ID (and root of course - there's no way
> you can do this without giving the web host's admins access to your
> database.)  That can be used periodically to update credentials, via
> kinit in a cron job, or every time the request runs.

Thanks.  Would I still need this if the process is running under my uid, 
or is it only if it's running as nobody?


> A Python module for Kerberos5 is feasible, but seems like it might be
> the least of your worries (maybe not even worth the installation and
> maintenance of this C module.)

I actually managed to find Elliot Lee's krb5 module at 
http://py.vaults.ca/parnassus/apyllo.py?i=187576001, but I'm having a 
difficult time getting it to compile under NetBSD.  I'm not yet sure if 
it'll do what I want, but I'm hoping.


Thanks for all your help so far.
Mike.