--- /dev/null
+kdo is a series of shell functions for dealing with multiple Kerberos
+on Mac OS X.
+
+Add the contents of bashrc to your .bashrc file. To run a command with
+a different set of credentials from your default, run (e.g.)
+
+ kdo broder/root aklog
+
+If you don't currently have credentials for the principal you specify,
+you'll be prompted for the password.
+
+kdo by default gets nonforwardable tickets with a 15 minute lifetime,
+renewable for 60 minutes; you can change the kinit_args variable in
+kdo if you want to change these defaults.
+
+kdo doesn't behave well if you don't already have tickets of some
+form.
+
+This snippet also provides krootssh, which is a convenience function
+for using your root instance tickets to ssh into another machine.
--- /dev/null
+function kfindcache {
+ klist -A | grep -A1 'Kerberos 5 ticket cache' | grep -iB1 "principal: .*$1" | head -n 1 | cut -f 2 -d "'"
+}
+
+function kdo {
+ local princ="$1"
+ shift;
+ local kinit_args="-l15m -r60m -F"
+ local cache=`kfindcache "$princ"`
+ if [ -n "$cache" ] && ! (KRB5CCNAME="$cache" klist -s "$cache"); then
+ KRB5CCNAME="$cache" kdestroy
+ cache=""
+ fi
+ if [ -z "$cache" ]; then
+ local oldcache=`klist | grep 'Kerberos 5 ticket cache' | cut -f 2 -d "'"`
+ kinit $kinit_args "$princ" || return 1
+ cache=`kfindcache "$princ"`
+ kswitch -c "$oldcache"
+ fi
+ echo "Running $1 with cache $cache (for principal $princ)" >&2
+ KRB5CCNAME="$cache" "$@"
+}
+
+function krootssh {
+ kdo ${ATHENA_USER:-$USER}}/root@ATHENA.MIT.EDU ssh -o "GSSAPIDelegateCredentials no" "$@"
+}