X-Git-Url: http://git.iain.cx/?p=profile.git;a=blobdiff_plain;f=.profile.d%2Fkrb5.bashrc;h=9c56dda0baad256d8a16b32c24bb805f6468970f;hp=08dfb53c877cc127346ed23b8af75f832be50b80;hb=48f30af664cf57c765a763eea7c652da92d66c27;hpb=f41ffed16658e78da63012d5d2ff9a65457e6897

diff --git a/.profile.d/krb5.bashrc b/.profile.d/krb5.bashrc
index 08dfb53..9c56dda 100644
--- a/.profile.d/krb5.bashrc
+++ b/.profile.d/krb5.bashrc
@@ -1,60 +1,102 @@
 alias kssh='ssh -o preferredauthentications=gssapi-with-mic'
 alias pssh='ssh -o preferredauthentications=password,keyboard-interactive'
 
-if [ $UID -gt 0 -a -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
-  if tty -s; then
-    if klist -s 2>/dev/null; then
-      # We already have a ticket cache.  Renew it.
-      kinit -R &>/dev/null
-    else
-      # Try to find an existing cache but only if we are using FILE: caches.
-      default=$((unset KRB5CCNAME; klist 2>&1) | sed -n 's/.*FILE:\([^)]*\).*/\1/p')
-      if [ ! -z "$default" ]; then
-        # Check for Exceed onDemand stupidity.
-        if [ "$KRB5CCNAME" = "FILE:" ]; then
-          unset KRB5CCNAME
-        fi
+unalias kinit 2>/dev/null
+if [ 1 = 0 -a -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
+  if [ -t 0 ]; then
+    # Canonicalise the cache name.
+    if [ -n "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then
+      export KRB5CCNAME="FILE:$KRB5CCNAME"
+    fi
 
-        # Check for bogus FILE: KRB5CCNAME.
-        if [ ! -z "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then 
-          export KRB5CCNAME="FILE:$KRB5CCNAME"
-        fi
+    if [ ! "$SUDO_UID" ]; then
+      if klist -s 2>/dev/null; then
+        # We already have a ticket cache.  Renew it.
+        kinit -R &>/dev/null
+      else
+        # Try to find an existing cache but only if we are using FILE: caches.
+        default=$((unset KRB5CCNAME; klist 2>&1) | sed -n 's/.*FILE:\([^)]*\).*/\1/p')
+        if [ ! -z "$default" ]; then
+          # Check for Exceed onDemand stupidity.
+          if [ "$KRB5CCNAME" = "FILE:" ]; then
+            unset KRB5CCNAME
+          fi
+
+          # Check for bogus FILE: KRB5CCNAME.
+          if [ ! -z "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then 
+            export KRB5CCNAME="FILE:$KRB5CCNAME"
+          fi
+
+          # Find the file.
+          ccname="${KRB5CCNAME##FILE:}"
+          if [ "$ccname" = "$KRB5CCNAME" ]; then
+            # Our cache isn't a file cache.  Throw it away.
+            ccname="$default"
+            unset KRB5CCNAME
+          fi
 
-        # Find the file.
-        ccname="${KRB5CCNAME##FILE:}"
-        if [ "$ccname" = "$KRB5CCNAME" ]; then
-          # Our cache isn't a file cache.  Throw it away.
-          ccname="$default"
-          unset KRB5CCNAME
+          # Remember if nullglob was on.
+          shopt -q nullglob
+          ng=$?
+          # Turn it on so we can look for caches safely.
+          shopt -s nullglob
+
+          for cache in $default*; do
+            if klist -s -c "$cache"; then
+              if [ ! "$cache" = "$ccname" ]; then
+                # It may not be safe to simply point the environment to this 
+                # cache as it may belong to a session which is about to end.  
+                # Therefore we copy it.
+                cp -p "$cache" "$ccname" || continue
+              fi
+              kinit -R &>/dev/null
+              break
+            fi
+          done
+
+          # Maybe turn nocaseglob back off.
+          [ $ng = 0 ] || shopt -u nullglob
         fi
 
-        # Remember if nullglob was on.
-        shopt -q nullglob
-        ng=$?
-        # Turn it on so we can look for caches safely.
-        shopt -s nullglob
-
-        for cache in $default*; do
-          if klist -s -c "$cache"; then
-            if [ ! "$cache" = "$ccname" ]; then
-              # It may not be safe to simply point the environment to this 
-              # cache as it may belong to a session which is about to end.  
-              # Therefore we copy it.
-              cp -p "$cache" "$ccname" || continue
+        # By now we should have found a cache if there's one to find.
+        klist -s 2>/dev/null || kinit
+      fi
+    elif [ ! -z "$KRB5CCNAME" ]; then
+      # Don't break permissions of inherited cache under sudo.
+      cache="${KRB5CCNAME##FILE:}"
+      if [ ! "$cache" = "$KRB5CCNAME" ]; then
+        ccname="${cache/_$SUDO_UID/_${UID}_sudo_$SUDO_UID}_$$"
+        export KRB5CCNAME="FILE:$ccname"
+        (
+          umask 077
+          if cat "$cache" > "$ccname" 2>/dev/null; then
+            klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL
+          elif [ -n "$KRB5BASE64" ]; then
+            if [ -n "$KRB5OPENSSL" ]; then
+              builtin echo "$KRB5BASE64" | $KRB5OPENSSL enc -a -d -out "$ccname"
             fi
-            kinit -R &>/dev/null
-            break
+            unset KRB5BASE64 KRB5OPENSSL
+          else
+            # XXX: Don't kinit every time if we aren't root.
+            # TODO: Split the "set my cache" and "get my credentials" parts so
+            #       that becoming a user other than root will work without
+            #       extraneous kinits.
+            rm "$ccname" 2>/dev/null
           fi
-        done
-
-        # Maybe turn nocaseglob back off.
-        [ $ng = 0 ] || shopt -u nullglob
+        )
+        trap "kdestroy 2>/dev/null" EXIT
       fi
     fi
-
-    # By now we should have found a cache if there's one to find.
-    klist -s 2>/dev/null || kinit
   fi
 fi
 
 unset cache ccname default ng
+function kinit() {
+  local args=
+  local krb5ccname=
+  if [ -n "$KRB5CCNAME" ]; then
+    args="$@"
+    [ "${args/-c /}" = "$args" ] && krb5ccname="-c $KRB5CCNAME"
+  fi
+  ( builtin cd /; exec -c kinit $krb5ccname ${1+"$@"} )
+}