Whenever you try to setuid and impersonate as someone else to run something, it is very likely that you will run into kerberos/kinit issues. Example:-
userA:> ssh_as_userB hostC 'someCmd'
This happens because when userA tries to impersonate as userB, and tries to run something from 'hostC' , userB isn't authenticated (yet) at 'hostC', and thus, it requires password authentication from userB (the kerberos/kinit thingie)
Solution #1
In order to prevent it from asking for a password, we can ask userB to ssh to 'hostC'. Once this is done, hostC now has confirmed authentication from userB, and thus, running this command again from userA will now no longer prompt for password:-
userA:> ssh_as_userB hostC 'someCmd'
Solution #2
However, that solution isn't always gonna make sense. We sometimes need to run the command without the need to key in password. Here's what we can do (in layman terms):-
1. create an encrypted password file for userB (keytab)
2. every time, before running any command, we auto-login(kinit) userB with that password file, then only we run the command.
By doing so, we can be sure that the command will not prompt for password anymore (of course unless the password in the keytab file is incorrect :P)
Here's how to do it
###############################
#### To Generate keytab #######
###############################
>ktutil
ktutil: addent -password -p userB@GAR.CORP.INTEL.COM -k 1 -e rc4-hmac
Password for userB@GAR.CORP.INTEL.COM:
ktutil: addent -password -p userB@GAR.CORP.INTEL.COM -k 1 -e aes256-cts
Password for userB@GAR.CORP.INTEL.COM:
ktuil: wkt /nfs/site/home/userB/keytab
ktutil: quit
###############################
##### To run a command ########
###############################
userA:> ssh_as_userB hostC 'unset KRB5CCNAME; /usr/bin/X11/kinit userB@GAR.CORP.INTEL.COM -k -t /nfs/site/home/userB/keytab; "someCmd" '
