1 # kdo is a shell function for interacting with multiple Kerberos
4 # To use kdo, add this snippet to your .bashrc or .bashrc.mine file.
6 # To run a command with a different set of credentials from your
9 # kdo <principal> <command>
13 # kdo broder/root aklog
15 # If you lack credentials for the specified principal, you'll be
16 # prompted for the password.
18 # If kdo needs to acquire tickets, it will pass the value of
19 # ${kdo_args[@]} to kinit. I use this to get tickets that last for 15
20 # minutes, that are renewable for 60 minutes, and aren't forwardable.
22 # To add kdo support for a new platform, you need to provide an
23 # interface to multiple credential caches by defining two functions:
26 # Print one line per current credential cache of the form "<KRB5CCNAME> <PRINCIPAL>"
28 # Without changing the current credentials cache, get credentials
29 # for the principal in $1, passing the remaining arguments to
31 # knewcache should set the variable cache with the KRB5CCNAME
32 # value for the newly created credential cache
34 # Also included is krootssh, a wrapper around ssh for using your
35 # root-instance tickets with ssh. It ensures that your tickets don't
36 # get accidentally forwarded, on the off chance that you have
37 # forwardable tickets.
40 kdo_args=(-l15m -r60m -F)
42 # CC interface for OS X
43 if [ "Darwin" = "$(uname)" ]; then
45 klist -A | awk '/^Kerberos 5 ticket cache:/ {cache = $5; princline=NR+1} NR==princline {print substr(cache, 2, length(cache)-2), $3}'
50 local oldcache="$(klist | grep 'Kerberos 5 ticket cache' | cut -f 2 -d "'")"
51 kinit "$@" "$princ" || return 1
52 cache="$(kfindcache "$princ")"
53 # On OS X, kinit will switch your default credential cache to
54 # that of the newly acquired tickets, so switch back if we can
55 if [ -z "$oldcache" ]; then
56 echo "W: Tickets for $princ are now in your default credential cache" >&2
58 kswitch -c "$oldcache"
63 # If kcaches and knewcache have been defined for this platform, then
64 # setup kdo. Otherwise, add a helpful error.
65 if hash kcaches &>/dev/null && hash knewcache &>/dev/null; then
67 kcaches | fgrep "$1" | awk '{print $1}'
71 local princ="$1"; shift
72 local cache="$(kfindcache "$princ")"
73 # If the cache that we want to use has expired tickets, then
74 # destroy that cache so we don't try to use it again and clear
75 # $cache so that we'll revert to acquiring a new set of
77 if [ -n "$cache" ] && ! klist -s "$cache"; then
78 KRB5CCNAME="$cache" kdestroy
81 if [ -z "$cache" ]; then
82 knewcache "$princ" "${kdo_args[@]}" || return 1
84 echo "I: Running $1 with cache $cache (for principal $princ)" >&2
85 KRB5CCNAME="$cache" "$@"
90 cur="${COMP_WORDS[COMP_CWORD]}"
91 opts="$(kcaches | awk '{ print $2 }')"
94 COMPREPLY=($(compgen -W "${opts}" -- "${cur}"))
97 COMPREPLY=($(compgen -c -- "${cur}"))
100 complete -o bashdefault -F _kdo kdo
103 kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU ssh -o GSSAPIDelegateCredentials=no "$@"
107 echo "kdo has not been ported to this platform yet." >&2
112 echo "kdo has not been ported to this plastform yet." >&2