remoteactions
logrotate
lnkedit
Layered window
ofpsounds
NSSM
ktmux
 
Software

Kerberos tmux helper

Quick links: Download - Description - Configuration - Limitations

ktmux_helper is a Perl script designed to be run from within tmux to launch krenew and keep Kerberos credentials up-to-date.

ktmux is a bash script to launch tmux and start ktmux_helper for you.

Download

ktmux_helper

ktmux

The scripts are developed in parallel. If you return to update one make sure that you also update the other.

Description

Kerberos tickets expire after a period of time. tmux sessions are usually long-lived. You might therefore expect that running tmux under krenew would help to renew your credentials automatically and allow you to have krb5 tickets available for the duration of your tmux session.

Unfortunately there is a flaw with this plan. If your TGT's renewable lifetime is reached krenew will die, as it can't renew the ticket any longer. This is very bad news for tmux. If it survives the death of its parent it will probably get horribly confused about the state of the terminal and not work properly.

ktmux_helper attacks the problem from the opposite direction. It is run as a child of tmux and launches krenew itself. If the tmux session goes away the script tidies up krenew. If krenew dies - either because it can't renew tickets or because something bad happened - the script will restart it.

In the event that your TGT reaches the end of its renewable lifetime ktmux_helper will instruct tmux to open a new window and run kinit so you can get new credentials.

Configuration

You should add a line to your shell startup to obtain new credentials when your originals expire.

klist -s || kinit

If you're paranoid you can also add a line to relaunch ktmux_helper. This is safe as it will immediately exit if a helper is already running.

if [ -n "TMUX" ]; then
  tmux run-shell ktmux_helper ';' detach 2>/dev/null
fi

Note the quoted semicolon! Without it your shell would interpret detach as a new shell command. In fact it is a new tmux command.

Make sure your .tmux.conf does not have KRB5CCNAME set in update-environment. Previously I recommended having it but doing so introduces a bug whereby attaching to the session from a terminal whose KRB5CCNAME is different would override the credentials cache name in the environment and new panes would use the new cache which krenew was not renewing.

Limitations

• The script doesn't handle multiple sessions from the same tmux server because it cannot determine which session launched it. I have some ideas on how this limitation might be removed.

• The script doesn't handle DIR: or KEYRING: collections.

• If your credentials expire the script will run kinit to allow you to get a new TGT. The script has no way of knowing that expiration is imminent so it can't run kinit ahead of time.

  The good news is that if credential renewal fails - because you typed your password incorrectly, you cancelled kinit or for some other reason - another kinit will be launched.

• If kinit, klist or krenew are not in your PATH you will have to tell the script where to find them with the -I, -L and -R flags.

• If your shell startup changes KRB5CCNAME it's possible for krenew to run against the wrong credentials.

A better solution would be to integrate Kerberos support directly into tmux. I am not familiar with the code but I envisage it working something like this:

• Set a recurring event for the session which checks for ticket validity and renews as appropriate. In other words a built-in mini-krenew.

• Prompt the user for his password - similarly to command-prompt - when new credentials must be obtained.

• Automatically propagate KRB5CCNAME to new panes.