How does one authenticate with a command that requires your password in linux?

Question

I have this issue that if I run nohup in a server for some reason when I log out of the server the permissions change and it crashes.

So I was recommended to run this:

/afs/cs/software/bin/reauth

in tmux/screen. But I want to use tmux. So I wanted to put that command in main.sh script but it requests my my password. Is there a way to give/type a password into the command so that it's in the main.sh script and when I run it it just runs without user interaction?

Currently I do:

/afs/cs/software/bin/reauth

and it requests my interaction

(metalearning_gpu) brando9~/diversity-for-predictive-success-of-meta-learning $ /afs/cs/software/bin/reauth
Password for brando9: 

but want it to just work/authenticate by me typing the password once.

Details from the servers wiki:

Long-running jobs
Problem
You start a screen session on one of our servers. Everything runs fine, you detach the screen and log out. You log back into the server, reattach the screen and realize that things are failing left and right because you lost file system permissions.
Solution
Use krbscreen and reauth.
How to use krbscreen and reauth
Below are the steps you need to take to successfully run a long-lived session on our machines:
kill all the existing reauth processes that you might be running
ssh to the relevant host: ssh csid@madmax.stanford.edu
run krbscreen on the host: /afs/cs/software/bin/krbscreen; run krbtmux on the host: /afs/cs/software/bin/krbtmux
run reauth: /afs/cs/software/bin/reauth
your commands inside krbscreen
detach the screen as you would normally
When you decide to re-attach your screen session you can use the regular screen command:
ssh to the relevant host: ssh csid@madmax.stanford.edu
re-attach your screen session: screen -x
krbscreen is just a wrapper around regular screen that runs aklog and makes copies of your current kerberos tickets.

in case the link https://ilwiki.stanford.edu/doku.php?id=hints:long-jobs doesn't work.

Contents of rauth:

(metalearning_gpu) brando9~ $ cat /afs/cs/software/bin/reauth
#!/usr/bin/perl
# $Id: reauth 2737 2011-06-20 18:14:05Z miles $
#
# Original version (C) Martin Schulz, 2'2002
# University Karlsruhe
#
# Modifications by Miles Davis <miles@cs.stanford.edu>
#  Super minimal -- call programs rather than functions to reduce dependence
#  on extra perl modules.
#
# Heimdal patches thanks to Georgios Asimenos <asimenos@cs.stanford.edu>
#
General:
##########
This little script aims at maintaining a valid AFS token from a
users password for long running jobs.
As everybody knows (or should know) Kerberos tickets and AFS tokens
only have a limited lifetime. This is so by design and is usually
reasonable. After 12 hours, it is no more obvious that it is really
that user sitting in front of the computer that once typed the
correct password in. Furthermore the damage caused by compromized
AFS tokens is limited to the lifetime of that ticket.
However, there are situations when users want to use long running
jobs that will write to AFS filespace for several days. Renewable
tickets are not so much of help here, since they can only be renewed
if ....
Therefore the secret has somehow deposited on the local computer
that will run the long time job. This can be eiter done by storing a
keytab on the local disk, maybe with a cron(*) principal with
reduces priviledges. The approach taken here is to work with the
original password and keep it in RAM only.
When starting this program, the user is asked for his principal and
the corresponding password. Then the TGT and AFS token is obtained
and displayed, afterwards, a background process is forked and the
main process will return to the system prompt. The workload program
can now be started.
The background process will periodically attempt to obtain krb
tickets and AFS tokens. If this fails for some reason (Kerberos
server not available or anything, the program aborts.
aklog does not create a new pag if not told so. If you want your
background process have a separate pag, create it beforehand.
The reauth.pl program will work until eternity if is not stopped
somehow. The canonical way is kill it by "kill $pid", where $pid is
the process id printed before the return of the initial call to
reauth.pl or found in the output of "ps".
(*) Cron jobs are another issue. Our institute introduced
user.cron-style principals to enable cron to obtain a token and then
work on restricted parts of the users home directories.
Security issues:
##################
reauth.pl will run forever if you do not stop it, so don't forget that!
The password is kept in RAM (of the child process). AFAIK, this can
only be recovered by local root (who you need to trust anyway). It
will not survive a reboot of the local machine.
The password is not kept on any disk. Therefore any bootfloppy
(reboot to single user mode..)  or screwdriver (take disk away..)
attacks are not promising.
Be aware that your NSA-, FBI-, MI5-, KGB-, ElQaida-, or (*insert
your favorite opponent or competitor here*)-sponsored cleaning
personnel or coworkers might have even more elaborate means... :-)
BUGS:
#######
Only mildly tested only on Linux and Solaris.
Uses kinit, aklog, klist and tokens programs for a KerberosV/ Ken
Hornstein's migration kit centered AFS setup. Please adjust to your
config.
###########################################################################
Configs:
kinit program, add path if necessary
if ( -e "/usr/kerberos/bin/kinit" ) {
    $kinit="/usr/kerberos/bin/kinit";
} elsif ( -e "/usr/lib/heimdal/bin/kinit" ) {
    $kinit = "/usr/lib/heimdal/bin/kinit";
} elsif ( -e "/usr/bin/kinit" ) {
    $kinit="/usr/bin/kinit";
} else {
    die("Couln't find kinit.\n");
}
aklog program, add path if necessary
if ( -e "/usr/bin/aklog" ) {
    $aklog="/usr/bin/aklog";
} elsif ( -e "/usr/lib/heimdal/bin/afslog" ) {
    # or, afslog, for heimdal weirdos
    $aklog="/usr/lib/heimdal/bin/afslog";
} else {
    die("Couln't find aklog or afslog.\n");
}
klist program, add path if necessary
$klist="/usr/kerberos/bin/klist";
tokens program, add path if necessary
$tokens="/usr/bin/tokens";
#################################################################
Program:
use Getopt::Long;
use POSIX qw(setuid);
use POSIX qw(setgid);
use POSIX qw(setsid);
Defaults for command line options.
my $keytab = '';
my $command = '';
my $username = '';
my $debug = 0;
my $verbose = 0;
my $interval=15000; # time interval in seconds: 4+ hours:
my %opts = (
    # Keytab
    'k=s' => sub {
                    $keytab = @[1];
                    $kinit_opts .= "-k -t $keytab ";
                },
    # Run command
    'c=s' => sub {
                    $command = @[1];
                },
    # Run command as user
    'u=s' => sub {
                    $username = @[1];
                },
    # Time interval to sleep
    'i=i' => sub {
                    $interval = @[1];
                },
    # Debug
    'd'   => sub {
                    $debug++;
                },
    # Be versbose
    'v'   => sub {
                    $verbose++;
                },
);
GetOptions(%opts) or die "Usage: reauth [ -k=keytab ] [ -u user ] [ -i <sleep_interval ] [ -v ] [ -c <command> ]\n";
if(@ARGV) {
    $princ = $ARGV[0];
    debug_print(2, "Principal name provided by argument = $princ");
} else {
Assume we want the login name as the principal name
$princ = getpwuid($&lt;);
debug_print(2, &quot;Principal name provided by argument = $princ&quot;);

}
if ($keytab) {
    # Don't ask for password, a keytab was provided.
    debug_print(1, "Keytab provided = $keytab");
} else {
    # read password, but turn off echo before:
    print "Password for $princ: ";
    system "stty -echo";
    $passwd = <STDIN>;
    system "stty echo";
    printf "\n";
    chomp $passwd;
    # Actually get the tickets/tokens
    if(obtain_tokens()!=0) {
        die "Can't obtain kerberos tickets\n";
    }
    if ($verbose) {
        show_tokens();
    }
}
fork to go into background:
a) the parent will exit
b) the child will work on
$pid = fork();
if ($pid) {
    # I am the parent.
    printf "Background process pid is: $pid\n";
    if ($command) {
        debug_print(1,"Waiting for child to die.");
        wait;
        debug_print(1,"Child is dead.");
    }
    exit 0;
} else {
    # I am the child.
    debug_print(2,"I am process $$");
    print "Can't set session id\n" unless setsid();
debug_print(2,&quot;KRB5CCNAME: &quot; . $ENV{KRB5CCNAME});
#if ($ENV{KRB5CCNAME}) {
    #$ENV{KRB5CCNAME} =  $ENV{KRB5CCNAME} . &quot;_reauth_$$&quot;;
#} else {
    #$ENV{KRB5CCNAME} =  &quot;/tmp/krb5cc_reauth_$$&quot;;
#}

#debug_print(2,&quot;Creating &quot; . $ENV{KRB5CCNAME});
#system &quot;touch $ENV{KRB5CCNAME}&quot;;


if ($username) {
    debug_print(1, &quot;Looking up UID for $username&quot;);
    ($name,$passwd,$UID,$GID, @junk) = getpwnam($username);
    debug_print(1, &quot;Changing to UID $UID, GID $GID&quot;);
    print &quot;Can't set group id\n&quot; unless setgid($GID);
    print &quot;Can't set user id\n&quot; unless setuid($UID);
    if ($ENV{KRB5CCNAME}) {
        $ENV{KRB5CCNAME} =  $ENV{KRB5CCNAME} . &quot;_reauth_$$&quot;;
    } else {
        $ENV{KRB5CCNAME} =  &quot;/tmp/krb5cc_reauth_$$&quot;;
    }
}

debug_print(2, &quot;Running as uid &quot; . $&lt;);
# Actually get the tickets/tokens
if(obtain_tokens()!=0) {
    die &quot;Can't obtain kerberos tickets\n&quot;;
}

if ($verbose) {
    show_tokens();
}

# If I was told to run a command, do it.
if ($command) {
    debug_print(1,&quot;About to exec $command&quot;);
    exec($command) or die &quot;Can't execute '$command'.\n&quot;;
    exit
}

debug_print(2,&quot;Going into auth loop (interval is $interval).&quot;);

#close(STDOUT);
#close(STDERR);

# Otherwise, work until killed:
while (1) {
    debug_print(2,&quot;Waking up to obtain new tokens.&quot;);
    obtain_tokens();
    if ($verbose) {
        show_tokens();
    }
    sleep $interval;
};

}
#################################################################
sub obtain_tokens() {
ignore sigpipes' (according to perlopentut)
$SIG{PIPE} = 'IGNORE';
#debug_print(1,&quot;Running: | $kinit -f $kinit_opts -p $princ 1&gt;/dev/null 2&gt;&amp;1&quot;);


run kinit
open(KINIT, "| $kinit -f $kinit_opts -p $princ 1>/dev/null 2>&1");
pass password to stdin, password does not show up on command line
if (! $keytab) {
      print(KINIT "${passwd}\n");
  }
close pipe and get status
close(KINIT); $status=$?;
debug_print(1,&quot;kinit exited with status $status\n&quot;);

act on status..
if($status == 256) {
        if ($verbose) {
            print "WARNING: kinit is not able to obtain Kerberos ticket ($status).\n";
            print "         Possible DNS or network problem. Continuing anyway...\n";
        }
        return 1;
  } elsif($status!=0) {
    print "kinit is not able to obtain Kerberos ticket: $status\n";
     return 2;
  };
debug_print(1,&quot;Running $aklog...\n&quot;);

$status = system "$aklog >/dev/null" ;
    debug_print(1,"aklog exited with status $status\n");
  if($status!=0) {
    print "aklog is not able to obtain AFS token: $status\n";
     return 3;
  };
return 0;
};
##################################################################
sub show_tokens() {
    system $klist ;
    system $tokens ;
};
##################################################################
sub debug_print($$) {
    my $level = shift;
    my $message = shift;
if ($debug &gt;= $level) {
    print &quot;DEBUG$debug: $message\n&quot;;
}

}
##################################################################

related: How does one send new commands to run to an already running nohup process or run two commands together/concurrently in nohup? trying to run reauth (renewing the kerberos ticket) inside a nohup command with other commands.

Answer 1

Not knowing what reauth does in detail, it's a bit hard to guess what would solve your situation, but I believe you shouldn't have to pass your passwort anywhere.

So, situation is this: The system you're accessing uses Kerberos for authentication. That means when you log in, your password (or other means of authentication) is used to request a ticket. Tickets are access codes, essentially. The ticket that is requested at login is what is called a ticket-granting ticket, so you can give out tickets to the other parts of software you need to have access to things; especially to access directories over NFS (network file system).

That ticket-granting ticket expires in regular intervals; run klist to see it, and its expiry time. You'll also see a row that says "renew until"; you can renew such a ticket within that period without having to prove that you know some authenticating secret (password). The period is typically a week.

So, if you have no job that runs longer than the "renew until" time, you can just renew your ticket-granting ticket without a password, and will continue to be able to access all the files you need.

Simply run kinit -R before the "Expires" of your ticket. On most systems, tickets expire after 10 hrs, but yours might be different. Anyway, say it expires after 4 hours, then renewing your ticket once every 1.5 hours is a perfectly sane way (and not too annoying). You can solve that problem simply with a tiny while loop that you run in a separate tmux window

while true; do kinit -R; sleep $((60 * 60 * 3 / 2)); done

Now, if your job runs longer than the "renew until" date, bad luck, at some point you'll have to get a new ticket-granting ticket with a password. Luckily, kinit isn't picky about from where it gets that password. So, you can just pipe your password into kinit; something like

echo 'totally secret password' | kinit user@DOMAIN.EDU

would do, with user@DOMAIN.EDU being the same thing that you see in klist as "Default principal".

Since a script like reauth running on your machine can't know your password, it needs to ask for; but I bet in the end it mostly does exactly this: renew the renewable ticket-granting tickets as long as possible without password, and once a week, request a new ticket-granting ticket using the password it asked for when launched.