.profile.d/krb5.bashrc

   1 alias kssh='ssh -o preferredauthentications=gssapi-with-mic'
   2 alias pssh='ssh -o preferredauthentications=password,keyboard-interactive'
   3
   4 if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
   5   if tty -s; then
   6     if [ ! "$SUDO_UID" ]; then
   7       if klist -s 2>/dev/null; then
   8         # We already have a ticket cache.  Renew it.
   9         kinit -R &>/dev/null
  10       else
  11         # Try to find an existing cache but only if we are using FILE: caches.
  12         default=$((unset KRB5CCNAME; klist 2>&1) | sed -n 's/.*FILE:\([^)]*\).*/\1/p')
  13         if [ ! -z "$default" ]; then
  14           # Check for Exceed onDemand stupidity.
  15           if [ "$KRB5CCNAME" = "FILE:" ]; then
  16             unset KRB5CCNAME
  17           fi
  18
  19           # Check for bogus FILE: KRB5CCNAME.
  20           if [ ! -z "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then
  21             export KRB5CCNAME="FILE:$KRB5CCNAME"
  22           fi
  23
  24           # Find the file.
  25           ccname="${KRB5CCNAME##FILE:}"
  26           if [ "$ccname" = "$KRB5CCNAME" ]; then
  27             # Our cache isn't a file cache.  Throw it away.
  28             ccname="$default"
  29             unset KRB5CCNAME
  30           fi
  31
  32           # Remember if nullglob was on.
  33           shopt -q nullglob
  34           ng=$?
  35           # Turn it on so we can look for caches safely.
  36           shopt -s nullglob
  37
  38           for cache in $default*; do
  39             if klist -s -c "$cache"; then
  40               if [ ! "$cache" = "$ccname" ]; then
  41                 # It may not be safe to simply point the environment to this
  42                 # cache as it may belong to a session which is about to end.
  43                 # Therefore we copy it.
  44                 cp -p "$cache" "$ccname" || continue
  45               fi
  46               kinit -R &>/dev/null
  47               break
  48             fi
  49           done
  50
  51           # Maybe turn nocaseglob back off.
  52           [ $ng = 0 ] || shopt -u nullglob
  53         fi
  54
  55         # By now we should have found a cache if there's one to find.
  56         klist -s 2>/dev/null || kinit
  57       fi
  58     elif [ ! -z "$KRB5CCNAME" ]; then
  59       # Don't break permissions of inherited cache under sudo.
  60       cache="${KRB5CCNAME##FILE:}"
  61       if [ ! "$cache" = "$KRB5CCNAME" ]; then
  62         ccname="${cache/_$SUDO_UID/_${UID}_sudo_$SUDO_UID}_$$"
  63         export KRB5CCNAME="FILE:$ccname"
  64         (
  65           umask 077
  66           if cat "$cache" > "$ccname" 2>/dev/null; then
  67             klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL
  68           elif [ -n "$KRB5BASE64" ]; then
  69             if [ -n "$KRB5OPENSSL" ]; then
  70               builtin echo "$KRB5BASE64" | $KRB5OPENSSL enc -a -d -out "$ccname"
  71             fi
  72             unset KRB5BASE64 KRB5OPENSSL
  73           else
  74             # XXX: Don't kinit every time if we aren't root.
  75             # TODO: Split the "set my cache" and "get my credentials" parts so
  76             #       that becoming a user other than root will work without
  77             #       extraneous kinits.
  78             rm "$ccname" 2>/dev/null
  79           fi
  80         )
  81         trap "kdestroy 2>/dev/null" EXIT
  82       fi
  83     fi
  84   fi
  85 fi
  86
  87 unset cache ccname default ng