.profile.d/krb5.bashrc

   1 alias kssh='ssh -o preferredauthentications=gssapi-with-mic'
   2 alias pssh='ssh -o preferredauthentications=password,keyboard-interactive'
   3
   4 unalias kinit 2>/dev/null
   5 if [ 1 = 0 -a -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
   6   if [ -t 0 ]; then
   7     # Canonicalise the cache name.
   8     if [ -n "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then
   9       export KRB5CCNAME="FILE:$KRB5CCNAME"
  10     fi
  11
  12     if [ ! "$SUDO_UID" ]; then
  13       if klist -s 2>/dev/null; then
  14         # We already have a ticket cache.  Renew it.
  15         kinit -R &>/dev/null
  16       else
  17         # Try to find an existing cache but only if we are using FILE: caches.
  18         default=$((unset KRB5CCNAME; klist 2>&1) | sed -n 's/.*FILE:\([^)]*\).*/\1/p')
  19         if [ ! -z "$default" ]; then
  20           # Check for Exceed onDemand stupidity.
  21           if [ "$KRB5CCNAME" = "FILE:" ]; then
  22             unset KRB5CCNAME
  23           fi
  24
  25           # Check for bogus FILE: KRB5CCNAME.
  26           if [ ! -z "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then
  27             export KRB5CCNAME="FILE:$KRB5CCNAME"
  28           fi
  29
  30           # Find the file.
  31           ccname="${KRB5CCNAME##FILE:}"
  32           if [ "$ccname" = "$KRB5CCNAME" ]; then
  33             # Our cache isn't a file cache.  Throw it away.
  34             ccname="$default"
  35             unset KRB5CCNAME
  36           fi
  37
  38           # Remember if nullglob was on.
  39           shopt -q nullglob
  40           ng=$?
  41           # Turn it on so we can look for caches safely.
  42           shopt -s nullglob
  43
  44           for cache in $default*; do
  45             if klist -s -c "$cache"; then
  46               if [ ! "$cache" = "$ccname" ]; then
  47                 # It may not be safe to simply point the environment to this
  48                 # cache as it may belong to a session which is about to end.
  49                 # Therefore we copy it.
  50                 cp -p "$cache" "$ccname" || continue
  51               fi
  52               kinit -R &>/dev/null
  53               break
  54             fi
  55           done
  56
  57           # Maybe turn nocaseglob back off.
  58           [ $ng = 0 ] || shopt -u nullglob
  59         fi
  60
  61         # By now we should have found a cache if there's one to find.
  62         klist -s 2>/dev/null || kinit
  63       fi
  64     elif [ ! -z "$KRB5CCNAME" ]; then
  65       # Don't break permissions of inherited cache under sudo.
  66       cache="${KRB5CCNAME##FILE:}"
  67       if [ ! "$cache" = "$KRB5CCNAME" ]; then
  68         ccname="${cache/_$SUDO_UID/_${UID}_sudo_$SUDO_UID}_$$"
  69         export KRB5CCNAME="FILE:$ccname"
  70         (
  71           umask 077
  72           if cat "$cache" > "$ccname" 2>/dev/null; then
  73             klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL
  74           elif [ -n "$KRB5BASE64" ]; then
  75             if [ -n "$KRB5OPENSSL" ]; then
  76               builtin echo "$KRB5BASE64" | $KRB5OPENSSL enc -a -d -out "$ccname"
  77             fi
  78             unset KRB5BASE64 KRB5OPENSSL
  79           else
  80             # XXX: Don't kinit every time if we aren't root.
  81             # TODO: Split the "set my cache" and "get my credentials" parts so
  82             #       that becoming a user other than root will work without
  83             #       extraneous kinits.
  84             rm "$ccname" 2>/dev/null
  85           fi
  86         )
  87         trap "kdestroy 2>/dev/null" EXIT
  88       fi
  89     fi
  90   fi
  91 fi
  92
  93 unset cache ccname default ng
  94 function kinit() {
  95   local args=
  96   local krb5ccname=
  97   if [ -n "$KRB5CCNAME" ]; then
  98     args="$@"
  99     [ "${args/-c /}" = "$args" ] && krb5ccname="-c $KRB5CCNAME"
 100   fi
 101   ( builtin cd /; exec -c kinit $krb5ccname ${1+"$@"} )
 102 }