]>
Commit | Line | Data |
---|---|---|
28e020a8 EB |
1 | # kdo is a shell function for interacting with multiple Kerberos |
2 | # credential caches. | |
3 | # | |
4 | # To run a command with a different set of credentials from your | |
5 | # default, run | |
6 | # | |
7 | # kdo <principal> <command> | |
8 | # | |
9 | # e.g., | |
10 | # | |
11 | # kdo broder/root aklog | |
12 | # | |
13 | # If you lack credentials for the specified principal, you'll be | |
14 | # prompted for the password. | |
15 | # | |
16 | # If kdo needs to acquire tickets, it will pass the value of | |
17 | # ${kdo_args[@]} to kinit. I use this to get tickets that last for 15 | |
18 | # minutes, that are renewable for 60 minutes, and aren't forwardable. | |
19 | # | |
20 | # To add kdo support for a new platform, you need to provide an | |
21 | # interface to multiple credential caches by defining two functions: | |
22 | # | |
23 | # - kcaches:: | |
24 | # Print one line per current credential cache of the form "<KRB5CCNAME> <PRINCIPAL>" | |
25 | # - knewcache:: | |
26 | # Without changing the current credentials cache, get credentials | |
27 | # for the principal in $1, passing the remaining arguments to | |
28 | # kinit. | |
29 | # knewcache should set the variable cache with the KRB5CCNAME | |
30 | # value for the newly created credential cache | |
31 | # | |
32 | # Also included is krootssh, a wrapper around ssh for using your | |
33 | # root-instance tickets with ssh. It ensures that your tickets don't | |
34 | # get accidentally forwarded, on the off chance that you have | |
35 | # forwardable tickets. | |
36 | ||
37 | # CONFIGURATION | |
38 | kdo_args=(-l15m -r60m -F) | |
39 | ||
40 | # CC interface for OS X | |
41 | if [ "Darwin" = "$(uname)" ]; then | |
42 | kcaches () { | |
43 | klist -A | awk '/^Kerberos 5 ticket cache:/ {cache = $5; princline=NR+1} NR==princline {print substr(cache, 2, length(cache)-2), $3}' | |
44 | } | |
45 | ||
46 | knewcache () { | |
47 | princ="$1"; shift | |
48 | local oldcache="$(klist | grep 'Kerberos 5 ticket cache' | cut -f 2 -d "'")" | |
49 | kinit "$@" "$princ" || return 1 | |
50 | cache="$(kfindcache "$princ")" | |
51 | # On OS X, kinit will switch your default credential cache to | |
52 | # that of the newly acquired tickets, so switch back if we can | |
53 | if [ -z "$oldcache" ]; then | |
54 | echo "W: Tickets for $princ are now in your default credential cache" >&2 | |
55 | else | |
56 | kswitch -c "$oldcache" | |
57 | fi | |
58 | } | |
59 | fi | |
60 | ||
61 | # If kcaches and knewcache have been defined for this platform, then | |
62 | # setup kdo. Otherwise, add a helpful error. | |
63 | if hash kcaches &>/dev/null && hash knewcache &>/dev/null; then | |
64 | kfindcache () { | |
65 | kcaches | fgrep "$1" | awk '{print $1}' | |
66 | } | |
67 | ||
68 | kdo () { | |
69 | local princ="$1"; shift | |
70 | local cache="$(kfindcache "$princ")" | |
71 | # If the cache that we want to use has expired tickets, then | |
72 | # destroy that cache so we don't try to use it again and clear | |
73 | # $cache so that we'll revert to acquiring a new set of | |
74 | # tickets | |
75 | if [ -n "$cache" ] && ! klist -s "$cache"; then | |
76 | KRB5CCNAME="$cache" kdestroy | |
77 | cache="" | |
78 | fi | |
79 | if [ -z "$cache" ]; then | |
80 | knewcache "$princ" "${kdo_args[@]}" || return 1 | |
81 | fi | |
82 | echo "I: Running $1 with cache $cache (for principal $princ)" >&2 | |
83 | KRB5CCNAME="$cache" "$@" | |
84 | } | |
85 | _kdo () { | |
86 | local cur | |
87 | COMPREPLY=() | |
88 | cur="${COMP_WORDS[COMP_CWORD]}" | |
89 | opts="$(kcaches | awk '{ print $2 }')" | |
90 | case $COMP_CWORD in | |
91 | 1) | |
92 | COMPREPLY=($(compgen -W "${opts}" -- "${cur}")) | |
93 | ;; | |
94 | 2) | |
95 | COMPREPLY=($(compgen -c -- "${cur}")) | |
96 | esac | |
97 | } | |
98 | complete -o bashdefault -F _kdo kdo | |
99 | ||
100 | krootssh () { | |
101 | kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU ssh -o GSSAPIDelegateCredentials=no "$@" | |
102 | } | |
103 | else | |
104 | kdo () { | |
105 | echo "kdo has not been ported to this platform yet." >&2 | |
106 | return 1 | |
107 | } | |
108 | ||
109 | krootssh () { | |
110 | echo "kdo has not been ported to this plastform yet." >&2 | |
111 | return 1 | |
112 | } | |
113 | fi | |
114 |