1 # kdo is a shell function for interacting with multiple Kerberos
4 # To run a command with a different set of credentials from your
7 # kdo <principal> <command>
11 # kdo broder/root aklog
13 # If you lack credentials for the specified principal, you'll be
14 # prompted for the password.
16 # If kdo needs to acquire tickets, it will pass the value of
17 # ${kdo_args[@]} to kinit. I use this to get tickets that last for 15
18 # minutes, that are renewable for 60 minutes, and aren't forwardable.
20 # To add kdo support for a new platform, you need to provide an
21 # interface to multiple credential caches by defining two functions:
24 # Print one line per current credential cache of the form "<KRB5CCNAME> <PRINCIPAL>"
26 # Without changing the current credentials cache, get credentials
27 # for the principal in $1, passing the remaining arguments to
29 # knewcache should set the variable cache with the KRB5CCNAME
30 # value for the newly created credential cache
32 # Also included is krootssh, a wrapper around ssh for using your
33 # root-instance tickets with ssh. It ensures that your tickets don't
34 # get accidentally forwarded, on the off chance that you have
35 # forwardable tickets.
38 kdo_args=(-l15m -r60m -F)
40 # CC interface for OS X
41 if [ "Darwin" = "$(uname)" ]; then
43 klist -A | awk '/^Kerberos 5 ticket cache:/ {cache = $5; princline=NR+1} NR==princline {print substr(cache, 2, length(cache)-2), $3}'
48 local oldcache="$(klist | grep 'Kerberos 5 ticket cache' | cut -f 2 -d "'")"
49 kinit "$@" "$princ" || return 1
50 cache="$(kfindcache "$princ")"
51 # On OS X, kinit will switch your default credential cache to
52 # that of the newly acquired tickets, so switch back if we can
53 if [ -z "$oldcache" ]; then
54 echo "W: Tickets for $princ are now in your default credential cache" >&2
56 kswitch -c "$oldcache"
61 # If kcaches and knewcache have been defined for this platform, then
62 # setup kdo. Otherwise, add a helpful error.
63 if hash kcaches &>/dev/null && hash knewcache &>/dev/null; then
65 kcaches | fgrep "$1" | awk '{print $1}'
69 local princ="$1"; shift
70 local cache="$(kfindcache "$princ")"
71 # If the cache that we want to use has expired tickets, then
72 # destroy that cache so we don't try to use it again and clear
73 # $cache so that we'll revert to acquiring a new set of
75 if [ -n "$cache" ] && ! klist -s "$cache"; then
76 KRB5CCNAME="$cache" kdestroy
79 if [ -z "$cache" ]; then
80 knewcache "$princ" "${kdo_args[@]}" || return 1
82 echo "I: Running $1 with cache $cache (for principal $princ)" >&2
83 KRB5CCNAME="$cache" "$@"
88 cur="${COMP_WORDS[COMP_CWORD]}"
89 opts="$(kcaches | awk '{ print $2 }')"
92 COMPREPLY=($(compgen -W "${opts}" -- "${cur}"))
95 COMPREPLY=($(compgen -c -- "${cur}"))
98 complete -o bashdefault -F _kdo kdo
101 kdo ${ATHENA_USER:-$USER}/root@ATHENA.MIT.EDU ssh -o GSSAPIDelegateCredentials=no "$@"
105 echo "kdo has not been ported to this platform yet." >&2
110 echo "kdo has not been ported to this plastform yet." >&2