.profile.d/krb5.bashrc

   1 alias kssh='ssh -o preferredauthentications=gssapi-with-mic'
   2 alias pssh='ssh -o preferredauthentications=password,keyboard-interactive'
   3
   4 unalias kinit 2>/dev/null
   5 if [ 1 = 0 -a -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
   6   if tty -s; then
   7     if [ ! "$SUDO_UID" ]; then
   8       if klist -s 2>/dev/null; then
   9         # We already have a ticket cache.  Renew it.
  10         kinit -R &>/dev/null
  11       else
  12         # Try to find an existing cache but only if we are using FILE: caches.
  13         default=$((unset KRB5CCNAME; klist 2>&1) | sed -n 's/.*FILE:\([^)]*\).*/\1/p')
  14         if [ ! -z "$default" ]; then
  15           # Check for Exceed onDemand stupidity.
  16           if [ "$KRB5CCNAME" = "FILE:" ]; then
  17             unset KRB5CCNAME
  18           fi
  19
  20           # Check for bogus FILE: KRB5CCNAME.
  21           if [ ! -z "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then
  22             export KRB5CCNAME="FILE:$KRB5CCNAME"
  23           fi
  24
  25           # Find the file.
  26           ccname="${KRB5CCNAME##FILE:}"
  27           if [ "$ccname" = "$KRB5CCNAME" ]; then
  28             # Our cache isn't a file cache.  Throw it away.
  29             ccname="$default"
  30             unset KRB5CCNAME
  31           fi
  32
  33           # Remember if nullglob was on.
  34           shopt -q nullglob
  35           ng=$?
  36           # Turn it on so we can look for caches safely.
  37           shopt -s nullglob
  38
  39           for cache in $default*; do
  40             if klist -s -c "$cache"; then
  41               if [ ! "$cache" = "$ccname" ]; then
  42                 # It may not be safe to simply point the environment to this
  43                 # cache as it may belong to a session which is about to end.
  44                 # Therefore we copy it.
  45                 cp -p "$cache" "$ccname" || continue
  46               fi
  47               kinit -R &>/dev/null
  48               break
  49             fi
  50           done
  51
  52           # Maybe turn nocaseglob back off.
  53           [ $ng = 0 ] || shopt -u nullglob
  54         fi
  55
  56         # By now we should have found a cache if there's one to find.
  57         klist -s 2>/dev/null || kinit
  58       fi
  59     elif [ ! -z "$KRB5CCNAME" ]; then
  60       # Don't break permissions of inherited cache under sudo.
  61       cache="${KRB5CCNAME##FILE:}"
  62       if [ ! "$cache" = "$KRB5CCNAME" ]; then
  63         ccname="${cache/_$SUDO_UID/_${UID}_sudo_$SUDO_UID}_$$"
  64         export KRB5CCNAME="FILE:$ccname"
  65         (
  66           umask 077
  67           if cat "$cache" > "$ccname" 2>/dev/null; then
  68             klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL
  69           elif [ -n "$KRB5BASE64" ]; then
  70             if [ -n "$KRB5OPENSSL" ]; then
  71               builtin echo "$KRB5BASE64" | $KRB5OPENSSL enc -a -d -out "$ccname"
  72             fi
  73             unset KRB5BASE64 KRB5OPENSSL
  74           else
  75             # XXX: Don't kinit every time if we aren't root.
  76             # TODO: Split the "set my cache" and "get my credentials" parts so
  77             #       that becoming a user other than root will work without
  78             #       extraneous kinits.
  79             rm "$ccname" 2>/dev/null
  80           fi
  81         )
  82         trap "kdestroy 2>/dev/null" EXIT
  83       fi
  84     fi
  85   fi
  86 fi
  87
  88 unset cache ccname default ng
  89 function kinit() {
  90   local args=
  91   local krb5ccname=
  92   if [ -n "$KRB5CCNAME" ]; then
  93     args="$@"
  94     [ "${args/-c /}" = "$args" ] && krb5ccname="-c $KRB5CCNAME"
  95   fi
  96   ( builtin cd /; exec -c kinit $krb5ccname ${1+"$@"} )
  97 }