Automating ssh with keytab.py

Automated processes may need to ssh or scp to another machine. There are a few ways to authenticate when in a non interactive shell or script (without typing in a password).

Using a key tab file

For connecting to a machine that allows Kerberos authentication, a Kerberos keytab file can be used to store a table of credentials/keys that are then used to initialize a Kerberos ticket. The key tab file is created interactively, after which a Kerberos ticket can be initialized without entering a password. The Kerberos ticket is then used by ssh or scp to connect to the remote machine.

The vvtest/trig/keytab.py file is a helper script to make this easy. First, generate the key tab:

Make sure the directory ~/.ssh exists and is readable and writable only by the owner.
Run "keytab.py generate" to create the key tab file. This will walk you through a set of operations for a handful of encryption types. A file will be written to ~/.ssh/krb5keytab.
Repeat this process any time your password changes.

Once the key tab file exists, you can use this construct in Python code:

import keytab
keytab.init_ticket()
try:
    do_stuff_involving_ssh_or_scp_to_another_machine()
finally:
    keytab.destroy_ticket()

Or in Bash scripts:

export KRB5CCNAME="$(keytab.py init)"
ssh or scp to another machine
keytab.py destroy

Automating ssh with keytab.py

Using a key tab file

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally