Persistent screen or tmux session on lxplus

Setting up password-less kerberos token

In order for the kerberos token to be refreshed automatically, it must be possible to do so without a password. Therefore, we create a keytab (similar to a private ssh key) on lxplus using the keytab utility. After starting it by typing ktutil, type the following three lines into the prompt and confirm the first two steps with your password.

add_entry -password -p USERNAME@CERN.CH -k 1 -e arcfour-hmac-md5
add_entry -password -p USERNAME@CERN.CH -k 1 -e aes256-cts
wkt USERNAME.keytab

and close the ktutil prompt with Ctrl+D. This will create a file called USERNAME.keytab in the current directory. It is strongly recommended to store this file in a directory to which only you have access as anyone who obtains a copy of this file can use it to obtain tokens in your name.

NOTE that the domain name CERN.CH has to be all uppercase, while the USERNAME should match your case-sensitive CERN username.

Making use of the keytab

This keytab file can now be used to obtain kerberos tokens without having to type a password:

kinit -k -t USERNAME.keytab USERNAME@CERN.CH

where -k tells kinit to use a keytab file and -t USERNAME.keytab where this keytab actually is.

Using k5reauth to automatically refresh your kerberos token

To create a permanent session of tmux or screen, the k5reauth command is used, which by default creates a new shell and attaches it as a child to itself and keeps renewing the kerberos token for its children. k5reauth can start processes other than a new shell by specifying the program you want to start as an argument

k5reauth -f -i 3600 -p .... -- <command>

To start screen or tmux run:

k5reauth -f -i 3600 -p USERNAME -k /path/to/USERNAME.keytab -- tmux new-session -s NAME

which will create a tmux session whose kerberos token is refreshed automatically every 3600 seconds. When attaching back to the process, a simple

tmux attach-session -t NAME


tmux a

(if you want to attach the most recently used session) is sufficient.

You will almost certainly want to use an alias or function to access this command. One way to do that would be to copy and paste the following into your ~/.bashrc (if you use bash):

    if [[ -z "$1" ]]; then #if no argument passed
        k5reauth -f -i 3600 -p USERNAME -k /path/to/USERNAME.keytab -- tmux new-session
    else #pass the argument as the tmux session name
        k5reauth -f -i 3600 -p USERNAME -k /path/to/USERNAME.keytab -- tmux new-session -s $1

You could then start a tmux session named “Test” using

ktmux Test