]>
Commit | Line | Data |
---|---|---|
28e020a8 EB |
1 | # kdo is a shell function for interacting with multiple Kerberos |
2 | # credential caches. | |
3 | # | |
8de9cec2 EB |
4 | # To use kdo, add this snippet to your .bashrc or .bashrc.mine file. |
5 | # | |
28e020a8 EB |
6 | # To run a command with a different set of credentials from your |
7 | # default, run | |
8 | # | |
9 | # kdo <principal> <command> | |
10 | # | |
11 | # e.g., | |
12 | # | |
13 | # kdo broder/root aklog | |
14 | # | |
15 | # If you lack credentials for the specified principal, you'll be | |
16 | # prompted for the password. | |
17 | # | |
18 | # If kdo needs to acquire tickets, it will pass the value of | |
19 | # ${kdo_args[@]} to kinit. I use this to get tickets that last for 15 | |
20 | # minutes, that are renewable for 60 minutes, and aren't forwardable. | |
21 | # | |
22 | # To add kdo support for a new platform, you need to provide an | |
23 | # interface to multiple credential caches by defining two functions: | |
24 | # | |
25 | # - kcaches:: | |
26 | # Print one line per current credential cache of the form "<KRB5CCNAME> <PRINCIPAL>" | |
27 | # - knewcache:: | |
28 | # Without changing the current credentials cache, get credentials | |
29 | # for the principal in $1, passing the remaining arguments to | |
30 | # kinit. | |
31 | # knewcache should set the variable cache with the KRB5CCNAME | |
32 | # value for the newly created credential cache | |
33 | # | |
34 | # Also included is krootssh, a wrapper around ssh for using your | |
35 | # root-instance tickets with ssh. It ensures that your tickets don't | |
36 | # get accidentally forwarded, on the off chance that you have | |
37 | # forwardable tickets. | |
38 | ||
39 | # CONFIGURATION | |
40 | kdo_args=(-l15m -r60m -F) | |
41 | ||
42 | # CC interface for OS X | |
43 | if [ "Darwin" = "$(uname)" ]; then | |
44 | kcaches () { | |
45 | klist -A | awk '/^Kerberos 5 ticket cache:/ {cache = $5; princline=NR+1} NR==princline {print substr(cache, 2, length(cache)-2), $3}' | |
46 | } | |
47 | ||
48 | knewcache () { | |
49 | princ="$1"; shift | |
50 | local oldcache="$(klist | grep 'Kerberos 5 ticket cache' | cut -f 2 -d "'")" | |
51 | kinit "$@" "$princ" || return 1 | |
52 | cache="$(kfindcache "$princ")" | |
53 | # On OS X, kinit will switch your default credential cache to | |
54 | # that of the newly acquired tickets, so switch back if we can | |
55 | if [ -z "$oldcache" ]; then | |
56 | echo "W: Tickets for $princ are now in your default credential cache" >&2 | |
57 | else | |
58 | kswitch -c "$oldcache" | |
59 | fi | |
60 | } | |
61 | fi | |
62 | ||
63 | # If kcaches and knewcache have been defined for this platform, then | |
64 | # setup kdo. Otherwise, add a helpful error. | |
65 | if hash kcaches &>/dev/null && hash knewcache &>/dev/null; then | |
66 | kfindcache () { | |
67 | kcaches | fgrep "$1" | awk '{print $1}' | |
68 | } | |
69 | ||
70 | kdo () { | |
71 | local princ="$1"; shift | |
72 | local cache="$(kfindcache "$princ")" | |
73 | # If the cache that we want to use has expired tickets, then | |
74 | # destroy that cache so we don't try to use it again and clear | |
75 | # $cache so that we'll revert to acquiring a new set of | |
76 | # tickets | |
77 | if [ -n "$cache" ] && ! klist -s "$cache"; then | |
78 | KRB5CCNAME="$cache" kdestroy | |
79 | cache="" | |
80 | fi | |
81 | if [ -z "$cache" ]; then | |
82 | knewcache "$princ" "${kdo_args[@]}" || return 1 | |
83 | fi | |
84 | echo "I: Running $1 with cache $cache (for principal $princ)" >&2 | |
85 | KRB5CCNAME="$cache" "$@" | |
86 | } | |
87 | _kdo () { | |
88 | local cur | |
89 | COMPREPLY=() | |
90 | cur="${COMP_WORDS[COMP_CWORD]}" | |
91 | opts="$(kcaches | awk '{ print $2 }')" | |
92 | case $COMP_CWORD in | |
93 | 1) | |
94 | COMPREPLY=($(compgen -W "${opts}" -- "${cur}")) | |
95 | ;; | |
96 | 2) | |
97 | COMPREPLY=($(compgen -c -- "${cur}")) | |
98 | esac | |
99 | } | |
100 | complete -o bashdefault -F _kdo kdo | |
101 | ||
102 | krootssh () { | |
103 | kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU ssh -o GSSAPIDelegateCredentials=no "$@" | |
104 | } | |
105 | else | |
106 | kdo () { | |
107 | echo "kdo has not been ported to this platform yet." >&2 | |
108 | return 1 | |
109 | } | |
110 | ||
111 | krootssh () { | |
112 | echo "kdo has not been ported to this plastform yet." >&2 | |
113 | return 1 | |
114 | } | |
115 | fi | |
116 |