]>
Commit | Line | Data |
---|---|---|
fc9ab391 | 1 | # -*- mode: sh -*- |
28e020a8 EB |
2 | # kdo is a shell function for interacting with multiple Kerberos |
3 | # credential caches. | |
4 | # | |
8de9cec2 EB |
5 | # To use kdo, add this snippet to your .bashrc or .bashrc.mine file. |
6 | # | |
28e020a8 EB |
7 | # To run a command with a different set of credentials from your |
8 | # default, run | |
9 | # | |
10 | # kdo <principal> <command> | |
11 | # | |
12 | # e.g., | |
13 | # | |
14 | # kdo broder/root aklog | |
15 | # | |
16 | # If you lack credentials for the specified principal, you'll be | |
17 | # prompted for the password. | |
18 | # | |
19 | # If kdo needs to acquire tickets, it will pass the value of | |
20 | # ${kdo_args[@]} to kinit. I use this to get tickets that last for 15 | |
21 | # minutes, that are renewable for 60 minutes, and aren't forwardable. | |
22 | # | |
23 | # To add kdo support for a new platform, you need to provide an | |
24 | # interface to multiple credential caches by defining two functions: | |
25 | # | |
26 | # - kcaches:: | |
38704d48 | 27 | # Print one line per current credential cache of the form "<PRINCIPAL> <KRB5CCNAME>" |
28e020a8 EB |
28 | # - knewcache:: |
29 | # Without changing the current credentials cache, get credentials | |
30 | # for the principal in $1, passing the remaining arguments to | |
31 | # kinit. | |
32 | # knewcache should set the variable cache with the KRB5CCNAME | |
33 | # value for the newly created credential cache | |
34 | # | |
35 | # Also included is krootssh, a wrapper around ssh for using your | |
36 | # root-instance tickets with ssh. It ensures that your tickets don't | |
37 | # get accidentally forwarded, on the off chance that you have | |
38 | # forwardable tickets. | |
39 | ||
40 | # CONFIGURATION | |
41 | kdo_args=(-l15m -r60m -F) | |
42 | ||
43 | # CC interface for OS X | |
44 | if [ "Darwin" = "$(uname)" ]; then | |
45 | kcaches () { | |
38704d48 | 46 | klist -A | perl -ne '$cache = $1 if /^Kerberos 5 ticket cache: '\''(.*)'\''/; print "$1 $cache\n" if /^Default principal: (.*)$/' |
28e020a8 EB |
47 | } |
48 | ||
49 | knewcache () { | |
50 | princ="$1"; shift | |
51 | local oldcache="$(klist | grep 'Kerberos 5 ticket cache' | cut -f 2 -d "'")" | |
fc9ab391 | 52 | # " # <-- emacs thinks there's an unbalanced " on the previous line. |
28e020a8 EB |
53 | kinit "$@" "$princ" || return 1 |
54 | cache="$(kfindcache "$princ")" | |
55 | # On OS X, kinit will switch your default credential cache to | |
56 | # that of the newly acquired tickets, so switch back if we can | |
57 | if [ -z "$oldcache" ]; then | |
58 | echo "W: Tickets for $princ are now in your default credential cache" >&2 | |
59 | else | |
60 | kswitch -c "$oldcache" | |
61 | fi | |
62 | } | |
63 | fi | |
64 | ||
65 | # If kcaches and knewcache have been defined for this platform, then | |
66 | # setup kdo. Otherwise, add a helpful error. | |
67 | if hash kcaches &>/dev/null && hash knewcache &>/dev/null; then | |
68 | kfindcache () { | |
38704d48 | 69 | kcaches | fgrep "$1" | cut -d' ' -f2- |
28e020a8 EB |
70 | } |
71 | ||
72 | kdo () { | |
73 | local princ="$1"; shift | |
74 | local cache="$(kfindcache "$princ")" | |
75 | # If the cache that we want to use has expired tickets, then | |
76 | # destroy that cache so we don't try to use it again and clear | |
77 | # $cache so that we'll revert to acquiring a new set of | |
78 | # tickets | |
79 | if [ -n "$cache" ] && ! klist -s "$cache"; then | |
80 | KRB5CCNAME="$cache" kdestroy | |
81 | cache="" | |
82 | fi | |
83 | if [ -z "$cache" ]; then | |
84 | knewcache "$princ" "${kdo_args[@]}" || return 1 | |
85 | fi | |
86 | echo "I: Running $1 with cache $cache (for principal $princ)" >&2 | |
87 | KRB5CCNAME="$cache" "$@" | |
88 | } | |
89 | _kdo () { | |
90 | local cur | |
91 | COMPREPLY=() | |
92 | cur="${COMP_WORDS[COMP_CWORD]}" | |
38704d48 | 93 | opts="$(kcaches | awk '{ print $1 }')" |
28e020a8 EB |
94 | case $COMP_CWORD in |
95 | 1) | |
96 | COMPREPLY=($(compgen -W "${opts}" -- "${cur}")) | |
97 | ;; | |
98 | 2) | |
99 | COMPREPLY=($(compgen -c -- "${cur}")) | |
100 | esac | |
101 | } | |
102 | complete -o bashdefault -F _kdo kdo | |
103 | ||
104 | krootssh () { | |
105 | kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU ssh -o GSSAPIDelegateCredentials=no "$@" | |
106 | } | |
107 | else | |
108 | kdo () { | |
109 | echo "kdo has not been ported to this platform yet." >&2 | |
110 | return 1 | |
111 | } | |
112 | ||
113 | krootssh () { | |
114 | echo "kdo has not been ported to this plastform yet." >&2 | |
115 | return 1 | |
116 | } | |
117 | fi | |
118 |