[Scripts/git/.git] / kerberos / kdo

# -*- mode: sh -*-
# kdo is a shell function for interacting with multiple Kerberos
# credential caches.
#
# To use kdo, add this snippet to your .bashrc or .bashrc.mine file.
#
# To run a command with a different set of credentials from your
# default, run
#
#     kdo <principal> <command>
#
# e.g.,
#
#     kdo broder/root aklog
#
# If you lack credentials for the specified principal, you'll be
# prompted for the password.
#
# If kdo needs to acquire tickets, it will pass the value of
# ${kdo_args[@]} to kinit. I use this to get tickets that last for 15
# minutes, that are renewable for 60 minutes, and aren't forwardable.
#
# To add kdo support for a new platform, you need to provide an
# interface to multiple credential caches by defining two functions:
#
#  - kcaches::
#      Print one line per current credential cache of the form "<PRINCIPAL> <KRB5CCNAME>"
#  - knewcache::
#      Without changing the current credentials cache, get credentials
#      for the principal in $1, passing the remaining arguments to
#      kinit.
#      knewcache should set the variable cache with the KRB5CCNAME
#      value for the newly created credential cache
#
# Also included is krootssh, a wrapper around ssh for using your
# root-instance tickets with ssh. It ensures that your tickets don't
# get accidentally forwarded, on the off chance that you have
# forwardable tickets.

# CONFIGURATION
kdo_args=(-l15m -r60m -F)

# CC interface for OS X or modern MIT krb5
if type kswitch &>/dev/null; then
    kcaches () {
        klist -A | perl -ne '$cache = $1 if /^(?:Kerberos 5 ticket|Ticket|Credentials) cache: '\''?(.*)'\''?/; print "$1 $cache\n" if /^(?:Default p|P)rincipal: (.*)$/'
    }

    knewcache () {
        princ="$1"; shift
        local oldcache="$(klist | perl -ne 'print $1 if /^(?:Kerberos 5 ticket|Ticket|Credentials) cache: '\''?(.*)'\''?/')"
        # " # <-- emacs thinks there's an unbalanced " on the previous line.
        kinit "$@" "$princ" || return 1
        cache="$(kfindcache "$princ")"
        # On OS X, kinit will switch your default credential cache to
        # that of the newly acquired tickets, so switch back if we can
        if [ -z "$oldcache" ]; then
            echo "W: Tickets for $princ are now in your default credential cache" >&2
        else
            kswitch -c "$oldcache"
        fi
    }
fi

# If kcaches and knewcache have been defined for this platform, then
# setup kdo. Otherwise, add a helpful error.
if type kcaches &>/dev/null && type knewcache &>/dev/null; then
    kfindcache () {
        kcaches | fgrep "$1" | cut -d' ' -f2-
    }

    kdo () {
        local princ="$1"; shift
        local cache="$(kfindcache "$princ")"
        # If the cache that we want to use has expired tickets, then
        # destroy that cache so we don't try to use it again and clear
        # $cache so that we'll revert to acquiring a new set of
        # tickets
        if [ -n "$cache" ] && ! (KRB5CCNAME="$cache" klist -s); then
            KRB5CCNAME="$cache" kdestroy
            cache=""
        fi
        if [ -z "$cache" ]; then
            knewcache "$princ" "${kdo_args[@]}" || return 1
        fi
        echo "I: Running $1 with cache $cache (for principal $princ)" >&2
        KRB5CCNAME="$cache" "$@"
    }
    _kdo () {
        local cur
        COMPREPLY=()
        cur="${COMP_WORDS[COMP_CWORD]}"
        opts="$(kcaches | awk '{ print $1 }')"
        case $COMP_CWORD in
            1)
                COMPREPLY=($(compgen -W "${opts}" -- "${cur}"))
                ;;
            2)
                COMPREPLY=($(compgen -c -- "${cur}"))
        esac
    }
    if type complete &>/dev/null; then
        complete -o bashdefault -F _kdo kdo
    fi

else
    kdo () {
        echo "kdo has not been ported to this platform yet." >&2
        return 1
    }
fi

krootssh () {
    kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU ssh -o GSSAPIDelegateCredentials=no "$@"
}

krootscp () {
    kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU scp -o GSSAPIDelegateCredentials=no "$@"
}
Commit	Line	Data
fc9ab391	1	# -- mode: sh --
28e020a8 EB	2	# kdo is a shell function for interacting with multiple Kerberos
	3	# credential caches.
	4	#
8de9cec2 EB	5	# To use kdo, add this snippet to your .bashrc or .bashrc.mine file.
8de9cec2 EB	6	#
28e020a8 EB	7	# To run a command with a different set of credentials from your
	8	# default, run
	9	#
	10	# kdo <principal> <command>
	11	#
	12	# e.g.,
	13	#
	14	# kdo broder/root aklog
	15	#
	16	# If you lack credentials for the specified principal, you'll be
	17	# prompted for the password.
	18	#
	19	# If kdo needs to acquire tickets, it will pass the value of
	20	# ${kdo_args[@]} to kinit. I use this to get tickets that last for 15
	21	# minutes, that are renewable for 60 minutes, and aren't forwardable.
	22	#
	23	# To add kdo support for a new platform, you need to provide an
	24	# interface to multiple credential caches by defining two functions:
	25	#
	26	# - kcaches::
38704d48	27	# Print one line per current credential cache of the form "<PRINCIPAL> <KRB5CCNAME>"
28e020a8 EB	28	# - knewcache::
	29	# Without changing the current credentials cache, get credentials
	30	# for the principal in $1, passing the remaining arguments to
	31	# kinit.
	32	# knewcache should set the variable cache with the KRB5CCNAME
	33	# value for the newly created credential cache
	34	#
	35	# Also included is krootssh, a wrapper around ssh for using your
	36	# root-instance tickets with ssh. It ensures that your tickets don't
	37	# get accidentally forwarded, on the off chance that you have
	38	# forwardable tickets.
	39
	40	# CONFIGURATION
	41	kdo_args=(-l15m -r60m -F)
	42
dd7592c4 QS	43	# CC interface for OS X or modern MIT krb5
dd7592c4 QS	44	if type kswitch &>/dev/null; then
28e020a8	45	kcaches () {
b533cd9f	46	klist -A \| perl -ne '$cache = $1 if /^(?:Kerberos 5 ticket\|Ticket\|Credentials) cache: '\''?(.)'\''?/; print "$1 $cache\n" if /^(?:Default p\|P)rincipal: (.)$/'
28e020a8 EB	47	}
	48
	49	knewcache () {
	50	princ="$1"; shift
b533cd9f	51	local oldcache="$(klist \| perl -ne 'print $1 if /^(?:Kerberos 5 ticket\|Ticket\|Credentials) cache: '\''?(.*)'\''?/')"
fc9ab391	52	# " # <-- emacs thinks there's an unbalanced " on the previous line.
28e020a8 EB	53	kinit "$@" "$princ" \|\| return 1
	54	cache="$(kfindcache "$princ")"
	55	# On OS X, kinit will switch your default credential cache to
	56	# that of the newly acquired tickets, so switch back if we can
	57	if [ -z "$oldcache" ]; then
	58	echo "W: Tickets for $princ are now in your default credential cache" >&2
	59	else
	60	kswitch -c "$oldcache"
	61	fi
	62	}
	63	fi
	64
	65	# If kcaches and knewcache have been defined for this platform, then
	66	# setup kdo. Otherwise, add a helpful error.
f092e365	67	if type kcaches &>/dev/null && type knewcache &>/dev/null; then
28e020a8	68	kfindcache () {
38704d48	69	kcaches \| fgrep "$1" \| cut -d' ' -f2-
28e020a8 EB	70	}
	71
	72	kdo () {
	73	local princ="$1"; shift
	74	local cache="$(kfindcache "$princ")"
	75	# If the cache that we want to use has expired tickets, then
	76	# destroy that cache so we don't try to use it again and clear
	77	# $cache so that we'll revert to acquiring a new set of
	78	# tickets
b533cd9f	79	if [ -n "$cache" ] && ! (KRB5CCNAME="$cache" klist -s); then
28e020a8 EB	80	KRB5CCNAME="$cache" kdestroy
	81	cache=""
	82	fi
	83	if [ -z "$cache" ]; then
	84	knewcache "$princ" "${kdo_args[@]}" \|\| return 1
	85	fi
	86	echo "I: Running $1 with cache $cache (for principal $princ)" >&2
	87	KRB5CCNAME="$cache" "$@"
	88	}
	89	_kdo () {
	90	local cur
	91	COMPREPLY=()
	92	cur="${COMP_WORDS[COMP_CWORD]}"
38704d48	93	opts="$(kcaches \| awk '{ print $1 }')"
28e020a8 EB	94	case $COMP_CWORD in
	95	1)
	96	COMPREPLY=($(compgen -W "${opts}" -- "${cur}"))
	97	;;
	98	2)
	99	COMPREPLY=($(compgen -c -- "${cur}"))
	100	esac
	101	}
f092e365 MR	102	if type complete &>/dev/null; then
	103	complete -o bashdefault -F _kdo kdo
	104	fi
28e020a8	105
28e020a8 EB	106	else
	107	kdo () {
	108	echo "kdo has not been ported to this platform yet." >&2
	109	return 1
	110	}
28e020a8 EB	111	fi
28e020a8 EB	112
b533cd9f QS	113	krootssh () {
	114	kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU ssh -o GSSAPIDelegateCredentials=no "$@"
	115	}
	116
	117	krootscp () {
	118	kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU scp -o GSSAPIDelegateCredentials=no "$@"
	119	}