2 # kdo is a shell function for interacting with multiple Kerberos
5 # To use kdo, add this snippet to your .bashrc or .bashrc.mine file.
7 # To run a command with a different set of credentials from your
10 # kdo <principal> <command>
14 # kdo broder/root aklog
16 # If you lack credentials for the specified principal, you'll be
17 # prompted for the password.
19 # If kdo needs to acquire tickets, it will pass the value of
20 # ${kdo_args[@]} to kinit. I use this to get tickets that last for 15
21 # minutes, that are renewable for 60 minutes, and aren't forwardable.
23 # To add kdo support for a new platform, you need to provide an
24 # interface to multiple credential caches by defining two functions:
27 # Print one line per current credential cache of the form "<PRINCIPAL> <KRB5CCNAME>"
29 # Without changing the current credentials cache, get credentials
30 # for the principal in $1, passing the remaining arguments to
32 # knewcache should set the variable cache with the KRB5CCNAME
33 # value for the newly created credential cache
35 # Also included is krootssh, a wrapper around ssh for using your
36 # root-instance tickets with ssh. It ensures that your tickets don't
37 # get accidentally forwarded, on the off chance that you have
38 # forwardable tickets.
41 kdo_args=(-l15m -r60m -F)
43 # CC interface for OS X or modern MIT krb5
44 if type kswitch &>/dev/null; then
46 klist -A | perl -ne '$cache = $1 if /^(?:Kerberos 5 ticket|Ticket|Credentials) cache: '\''?(.*)'\''?/; print "$1 $cache\n" if /^(?:Default p|P)rincipal: (.*)$/'
51 local oldcache="$(klist | perl -ne 'print $1 if /^(?:Kerberos 5 ticket|Ticket|Credentials) cache: '\''?(.*)'\''?/')"
52 # " # <-- emacs thinks there's an unbalanced " on the previous line.
53 kinit "$@" "$princ" || return 1
54 cache="$(kfindcache "$princ")"
55 # On OS X, kinit will switch your default credential cache to
56 # that of the newly acquired tickets, so switch back if we can
57 if [ -z "$oldcache" ]; then
58 echo "W: Tickets for $princ are now in your default credential cache" >&2
60 kswitch -c "$oldcache"
65 # If kcaches and knewcache have been defined for this platform, then
66 # setup kdo. Otherwise, add a helpful error.
67 if type kcaches &>/dev/null && type knewcache &>/dev/null; then
69 kcaches | fgrep "$1" | cut -d' ' -f2-
73 local princ="$1"; shift
74 local cache="$(kfindcache "$princ")"
75 # If the cache that we want to use has expired tickets, then
76 # destroy that cache so we don't try to use it again and clear
77 # $cache so that we'll revert to acquiring a new set of
79 if [ -n "$cache" ] && ! (KRB5CCNAME="$cache" klist -s); then
80 KRB5CCNAME="$cache" kdestroy
83 if [ -z "$cache" ]; then
84 knewcache "$princ" "${kdo_args[@]}" || return 1
86 echo "I: Running $1 with cache $cache (for principal $princ)" >&2
87 KRB5CCNAME="$cache" "$@"
92 cur="${COMP_WORDS[COMP_CWORD]}"
93 opts="$(kcaches | awk '{ print $1 }')"
96 COMPREPLY=($(compgen -W "${opts}" -- "${cur}"))
99 COMPREPLY=($(compgen -c -- "${cur}"))
102 if type complete &>/dev/null; then
103 complete -o bashdefault -F _kdo kdo
108 echo "kdo has not been ported to this platform yet." >&2
114 kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU ssh -o GSSAPIDelegateCredentials=no "$@"
118 kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU scp -o GSSAPIDelegateCredentials=no "$@"
snippets / Scripts / git / .git / blob