[Scripts/git/.git] / kerberos / kdo

# kdo is a shell function for interacting with multiple Kerberos
# credential caches.
#
# To use kdo, add this snippet to your .bashrc or .bashrc.mine file.
#
# To run a command with a different set of credentials from your
# default, run
#
#     kdo <principal> <command>
#
# e.g.,
#
#     kdo broder/root aklog
#
# If you lack credentials for the specified principal, you'll be
# prompted for the password.
#
# If kdo needs to acquire tickets, it will pass the value of
# ${kdo_args[@]} to kinit. I use this to get tickets that last for 15
# minutes, that are renewable for 60 minutes, and aren't forwardable.
#
# To add kdo support for a new platform, you need to provide an
# interface to multiple credential caches by defining two functions:
#
#  - kcaches::
#      Print one line per current credential cache of the form "<KRB5CCNAME> <PRINCIPAL>" 
#  - knewcache::
#      Without changing the current credentials cache, get credentials
#      for the principal in $1, passing the remaining arguments to
#      kinit.
#      knewcache should set the variable cache with the KRB5CCNAME
#      value for the newly created credential cache
#
# Also included is krootssh, a wrapper around ssh for using your
# root-instance tickets with ssh. It ensures that your tickets don't
# get accidentally forwarded, on the off chance that you have
# forwardable tickets.

# CONFIGURATION
kdo_args=(-l15m -r60m -F)

# CC interface for OS X
if [ "Darwin" = "$(uname)" ]; then
    kcaches () {
        klist -A | awk '/^Kerberos 5 ticket cache:/ {cache = $5; princline=NR+1} NR==princline {print substr(cache, 2, length(cache)-2), $3}'
    }

    knewcache () {
        princ="$1"; shift
        local oldcache="$(klist | grep 'Kerberos 5 ticket cache' | cut -f 2 -d "'")"
        kinit "$@" "$princ" || return 1
        cache="$(kfindcache "$princ")"
        # On OS X, kinit will switch your default credential cache to
        # that of the newly acquired tickets, so switch back if we can
        if [ -z "$oldcache" ]; then
            echo "W: Tickets for $princ are now in your default credential cache" >&2
        else
            kswitch -c "$oldcache"
        fi
    }
fi

# If kcaches and knewcache have been defined for this platform, then
# setup kdo. Otherwise, add a helpful error.
if hash kcaches &>/dev/null && hash knewcache &>/dev/null; then
    kfindcache () {
        kcaches | fgrep "$1" | awk '{print $1}'
    }

    kdo () {
        local princ="$1"; shift
        local cache="$(kfindcache "$princ")"
        # If the cache that we want to use has expired tickets, then
        # destroy that cache so we don't try to use it again and clear
        # $cache so that we'll revert to acquiring a new set of
        # tickets
        if [ -n "$cache" ] && ! klist -s "$cache"; then
            KRB5CCNAME="$cache" kdestroy
            cache=""
        fi
        if [ -z "$cache" ]; then
            knewcache "$princ" "${kdo_args[@]}" || return 1
        fi
        echo "I: Running $1 with cache $cache (for principal $princ)" >&2
        KRB5CCNAME="$cache" "$@"
    }
    _kdo () {
        local cur
        COMPREPLY=()
        cur="${COMP_WORDS[COMP_CWORD]}"
        opts="$(kcaches | awk '{ print $2 }')"
        case $COMP_CWORD in
            1)
                COMPREPLY=($(compgen -W "${opts}" -- "${cur}"))
                ;;
            2)
                COMPREPLY=($(compgen -c -- "${cur}"))
        esac
    }
    complete -o bashdefault -F _kdo kdo

    krootssh () {
        kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU ssh -o GSSAPIDelegateCredentials=no "$@"
    }
else
    kdo () {
        echo "kdo has not been ported to this platform yet." >&2
        return 1
    }

    krootssh () {
        echo "kdo has not been ported to this plastform yet." >&2
        return 1
    }
fi
Commit	Line	Data
28e020a8 EB	1	# kdo is a shell function for interacting with multiple Kerberos
	2	# credential caches.
	3	#
8de9cec2 EB	4	# To use kdo, add this snippet to your .bashrc or .bashrc.mine file.
8de9cec2 EB	5	#
28e020a8 EB	6	# To run a command with a different set of credentials from your
	7	# default, run
	8	#
	9	# kdo <principal> <command>
	10	#
	11	# e.g.,
	12	#
	13	# kdo broder/root aklog
	14	#
	15	# If you lack credentials for the specified principal, you'll be
	16	# prompted for the password.
	17	#
	18	# If kdo needs to acquire tickets, it will pass the value of
	19	# ${kdo_args[@]} to kinit. I use this to get tickets that last for 15
	20	# minutes, that are renewable for 60 minutes, and aren't forwardable.
	21	#
	22	# To add kdo support for a new platform, you need to provide an
	23	# interface to multiple credential caches by defining two functions:
	24	#
	25	# - kcaches::
	26	# Print one line per current credential cache of the form "<KRB5CCNAME> <PRINCIPAL>"
	27	# - knewcache::
	28	# Without changing the current credentials cache, get credentials
	29	# for the principal in $1, passing the remaining arguments to
	30	# kinit.
	31	# knewcache should set the variable cache with the KRB5CCNAME
	32	# value for the newly created credential cache
	33	#
	34	# Also included is krootssh, a wrapper around ssh for using your
	35	# root-instance tickets with ssh. It ensures that your tickets don't
	36	# get accidentally forwarded, on the off chance that you have
	37	# forwardable tickets.
	38
	39	# CONFIGURATION
	40	kdo_args=(-l15m -r60m -F)
	41
	42	# CC interface for OS X
	43	if [ "Darwin" = "$(uname)" ]; then
	44	kcaches () {
	45	klist -A \| awk '/^Kerberos 5 ticket cache:/ {cache = $5; princline=NR+1} NR==princline {print substr(cache, 2, length(cache)-2), $3}'
	46	}
	47
	48	knewcache () {
	49	princ="$1"; shift
	50	local oldcache="$(klist \| grep 'Kerberos 5 ticket cache' \| cut -f 2 -d "'")"
	51	kinit "$@" "$princ" \|\| return 1
	52	cache="$(kfindcache "$princ")"
	53	# On OS X, kinit will switch your default credential cache to
	54	# that of the newly acquired tickets, so switch back if we can
	55	if [ -z "$oldcache" ]; then
	56	echo "W: Tickets for $princ are now in your default credential cache" >&2
	57	else
	58	kswitch -c "$oldcache"
	59	fi
	60	}
	61	fi
	62
	63	# If kcaches and knewcache have been defined for this platform, then
	64	# setup kdo. Otherwise, add a helpful error.
	65	if hash kcaches &>/dev/null && hash knewcache &>/dev/null; then
	66	kfindcache () {
	67	kcaches \| fgrep "$1" \| awk '{print $1}'
	68	}
	69
70	kdo () {
71	local princ="$1"; shift
72	local cache="$(kfindcache "$princ")"
73	# If the cache that we want to use has expired tickets, then
74	# destroy that cache so we don't try to use it again and clear
75	# $cache so that we'll revert to acquiring a new set of
76	# tickets
77	if [ -n "$cache" ] && ! klist -s "$cache"; then
78	KRB5CCNAME="$cache" kdestroy
79	cache=""
80	fi
81	if [ -z "$cache" ]; then
82	knewcache "$princ" "${kdo_args[@]}" \|\| return 1
83	fi
84	echo "I: Running $1 with cache $cache (for principal $princ)" >&2
85	KRB5CCNAME="$cache" "$@"
86	}
87	_kdo () {
88	local cur
89	COMPREPLY=()
90	cur="${COMP_WORDS[COMP_CWORD]}"
91	opts="$(kcaches \| awk '{ print $2 }')"
92	case $COMP_CWORD in
93	1)
94	COMPREPLY=($(compgen -W "${opts}" -- "${cur}"))
95	;;
96	2)
97	COMPREPLY=($(compgen -c -- "${cur}"))
98	esac
99	}
100	complete -o bashdefault -F _kdo kdo
101
102	krootssh () {
103	kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU ssh -o GSSAPIDelegateCredentials=no "$@"
104	}
105	else
106	kdo () {
107	echo "kdo has not been ported to this platform yet." >&2
108	return 1
109	}
110
111	krootssh () {
112	echo "kdo has not been ported to this plastform yet." >&2
113	return 1
114	}
115	fi
116