alias kssh='ssh -o preferredauthentications=gssapi-with-mic'
alias pssh='ssh -o preferredauthentications=password,keyboard-interactive'
-if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
- if tty -s; then
- if [ $UID -gt 0 ]; then
+unalias kinit 2>/dev/null
+if [ 1 = 0 -a -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
+ if [ -t 0 ]; then
+ # Canonicalise the cache name.
+ if [ -n "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then
+ export KRB5CCNAME="FILE:$KRB5CCNAME"
+ fi
+
+ if [ ! "$SUDO_UID" ]; then
if klist -s 2>/dev/null; then
# We already have a ticket cache. Renew it.
kinit -R &>/dev/null
# By now we should have found a cache if there's one to find.
klist -s 2>/dev/null || kinit
fi
- elif [ -n "$KRB5CCNAME" ]; then
+ elif [ ! -z "$KRB5CCNAME" ]; then
# Don't break permissions of inherited cache under sudo.
cache="${KRB5CCNAME##FILE:}"
if [ ! "$cache" = "$KRB5CCNAME" ]; then
- ccname="${cache/_$SUDO_UID/_sudo_$SUDO_UID}_$$"
- cat "$cache" > "$ccname"
+ ccname="${cache/_$SUDO_UID/_${UID}_sudo_$SUDO_UID}_$$"
export KRB5CCNAME="FILE:$ccname"
- klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit
+ (
+ umask 077
+ if cat "$cache" > "$ccname" 2>/dev/null; then
+ klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL
+ elif [ -n "$KRB5BASE64" ]; then
+ if [ -n "$KRB5OPENSSL" ]; then
+ builtin echo "$KRB5BASE64" | $KRB5OPENSSL enc -a -d -out "$ccname"
+ fi
+ unset KRB5BASE64 KRB5OPENSSL
+ else
+ # XXX: Don't kinit every time if we aren't root.
+ # TODO: Split the "set my cache" and "get my credentials" parts so
+ # that becoming a user other than root will work without
+ # extraneous kinits.
+ rm "$ccname" 2>/dev/null
+ fi
+ )
trap "kdestroy 2>/dev/null" EXIT
fi
fi
fi
unset cache ccname default ng
+function kinit() {
+ local args=
+ local krb5ccname=
+ if [ -n "$KRB5CCNAME" ]; then
+ args="$@"
+ [ "${args/-c /}" = "$args" ] && krb5ccname="-c $KRB5CCNAME"
+ fi
+ ( builtin cd /; exec -c kinit $krb5ccname ${1+"$@"} )
+}