Locked History Actions

ScreenKerberos

Long running screen sessions

Symptoms

You start a screen session on one of our servers. Everything runs fine, you detach the screen and logout. You log back into the server, reattach the screen and realize that things are failing left and right because you lost file system permissions.

Quick solution

Use krbscreen and reauth.

Some more info

Since we are using a Kerberos + AFS environment things get a bit complicated. When you login to one of our servers you authenticate to the user directory and the Kerberos server will issue a ticket/token to you. Once you have the ticket you can authenticate to other services just by showing that ticket. That's why you don't have to enter any passwords as you ssh into other machines (e.g. ssh whale, enter password, once logged in ssh madmax4 and inside that session and it won't prompt you for a password).

The problem with all of the above is that the ticket/token needs to be renewed every now and then in order not to expire. If you are logged into a machine this happens automatically. Once you logout the tickets just expire. The screen command will keep your session active but it won't renew your ticket/token. To circumvent that we have reauth (/afs/cs/software/bin/reauth). This is a little daemon written in Perl that keeps renewing your tickets/tokens in the background.

Below are the steps you need to take to successfully run a long-lived session on our machines:

  1. kill all the existing reauth processes that you might be running
  2. ssh to the relevant host:  ssh csid@madmax.stanford.edu 

  3. run reauth:  /afs/cs/software/bin/reauth 

  4. run krbscreen on the host:  /afs/cs/software/bin/krbscreen 

  5. your commands inside krbscreen
  6. detach the screen as you would normally

When you decide to re-attach your screen session you can use the regular screen command:

  1. ssh to the relevant host:  ssh csid@madmax.stanford.edu 

  2. re-attach your screen session:  screen -x 

krbscreen is just a wrapper around regular screen that runs aklog and makes copies of your current kerberos tickets.

This will ensure that you won't loose permissions upon screen detachment. As the tickets are valid for 3 days by default I have not had a chance to test if the sessions will run beyond 3 days (reauth should take care of this).