Fabric authentication with kerberos

Question

I'm trying to write a fabric function that puts a script on a remote host and runs it as root. I don't have the root password to login to the machine, nor am I a sudoer, but I do have a root principle in kerberos. Typically, I can connect to a machine as root with the following:

kinit username/root
(enter root principle pass)

ssh root@host

Connecting in this manner I'm not prompted for a password when ssh'ing to the host.

So I want to emulate this process using fabric. To do so I assumed the following,

kinit user/root

fab task1 task2 --user=root

Unfortunately fabric prompts me for a password, while I do not have the root password, I can't supply this. Fabric will not let me pass a null for the password as far as I can tell. Any ideas?

Answer 1

Looks like Fabric doesn't support Kerberos authentication. If I remember correctly paramiko library doesn't support it either and Fabric uses paramiko (not sure), so it doesn't have corresponding support.

You should go and ask here: http://docs.fabfile.org/en/1.4.1/index.html#getting-help

May be use IRC channel so as to get quick response.

Regards,

Answer 2

There is an open pull request for support of Kerberos in Fabric and it looks like it's working and is almost ready to be merged:

https://github.com/fabric/fabric/pull/1261

Answer 3

Fabric 2.6.0 supports gssapi through paramiko (03/2022). You'll also need to install python-gssapi.

You just need to pass connect_kwargs to __init__():

class GSSConnection(Connection):
   def __init__(self, host):
      connect_kwargs = dict(
         gss_auth=True,
         gss_deleg_creds=True,
         gss_kex=True,
      )
      super().__init__(host, connect_kwargs=connect_kwargs)