Archives / Search ›

Maintaining Kerberos and AFS credentials in Screen

If you use a persistent screen session on a machine running OpenAFS, you’ve likely experienced long delays and confusion when your tickets and tokens expire.

The Screen and Kerberos patches will create a credentials cache for your screen session and automatically renew tickets. That’s a start, but your tokens still expire.

A relatively simple modification simply runs aklog after renewing your tickets. The patch for this is here; Debian packages for acm-screen, incorporating Kerberos and AFS patches, are here.

However, this still leaves a problem when your tickets exceed their renewable lifetime. For that, I wrote a zsh function which wraps screen and re-kinit/aklogs if there is less than a day remaining before they expire for good.

screen() {
  # note: this breaks if you have >1 screen session
  cc=(/tmp/krb5cc_scr_$(id -u)_*(N[1]))
  [[ -n $cc ]] && (( ${#@} )) && {
    local princ=$(klist -5 $cc | awk '/Default principal:/ { print $3 }')
    [[ -n $princ ]] && {
      local expiry
      zmodload zsh/datetime
      strftime -r -s expiry '%D %X' \
        "$(klist -5 $cc | awk '/krbtgt/ { getline ; print $3 " " $4 ; exit }')"
      (( expiry - EPOCHSECONDS < 86400 )) && {
        kinit -r7d -c $cc $princ && screen -X screen aklog || return 1
      }
    }
  }
  =screen $@
}

Enjoy.