X-Git-Url: http://git.iain.cx/?p=profile.git;a=blobdiff_plain;f=.profile.d%2Fkrb5.bashrc;h=9c56dda0baad256d8a16b32c24bb805f6468970f;hp=12b8ea1b0a7fa0835da4e9be9abd7f01ba101d99;hb=92baf2b71dfac31f0d2204eff97faca94c3f4b2e;hpb=51f2ae45a937406379d3bc0e809bc72bcedd7352 diff --git a/.profile.d/krb5.bashrc b/.profile.d/krb5.bashrc index 12b8ea1..9c56dda 100644 --- a/.profile.d/krb5.bashrc +++ b/.profile.d/krb5.bashrc @@ -1,12 +1,102 @@ -# $Id$ alias kssh='ssh -o preferredauthentications=gssapi-with-mic' alias pssh='ssh -o preferredauthentications=password,keyboard-interactive' -if [ $UID -gt 0 ]; then - if tty -s; then - if klist -s; then - kinit -R - else - kinit + +unalias kinit 2>/dev/null +if [ 1 = 0 -a -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then + if [ -t 0 ]; then + # Canonicalise the cache name. + if [ -n "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then + export KRB5CCNAME="FILE:$KRB5CCNAME" + fi + + if [ ! "$SUDO_UID" ]; then + if klist -s 2>/dev/null; then + # We already have a ticket cache. Renew it. + kinit -R &>/dev/null + else + # Try to find an existing cache but only if we are using FILE: caches. + default=$((unset KRB5CCNAME; klist 2>&1) | sed -n 's/.*FILE:\([^)]*\).*/\1/p') + if [ ! -z "$default" ]; then + # Check for Exceed onDemand stupidity. + if [ "$KRB5CCNAME" = "FILE:" ]; then + unset KRB5CCNAME + fi + + # Check for bogus FILE: KRB5CCNAME. + if [ ! -z "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then + export KRB5CCNAME="FILE:$KRB5CCNAME" + fi + + # Find the file. + ccname="${KRB5CCNAME##FILE:}" + if [ "$ccname" = "$KRB5CCNAME" ]; then + # Our cache isn't a file cache. Throw it away. + ccname="$default" + unset KRB5CCNAME + fi + + # Remember if nullglob was on. + shopt -q nullglob + ng=$? + # Turn it on so we can look for caches safely. + shopt -s nullglob + + for cache in $default*; do + if klist -s -c "$cache"; then + if [ ! "$cache" = "$ccname" ]; then + # It may not be safe to simply point the environment to this + # cache as it may belong to a session which is about to end. + # Therefore we copy it. + cp -p "$cache" "$ccname" || continue + fi + kinit -R &>/dev/null + break + fi + done + + # Maybe turn nocaseglob back off. + [ $ng = 0 ] || shopt -u nullglob + fi + + # By now we should have found a cache if there's one to find. + klist -s 2>/dev/null || kinit + fi + elif [ ! -z "$KRB5CCNAME" ]; then + # Don't break permissions of inherited cache under sudo. + cache="${KRB5CCNAME##FILE:}" + if [ ! "$cache" = "$KRB5CCNAME" ]; then + ccname="${cache/_$SUDO_UID/_${UID}_sudo_$SUDO_UID}_$$" + export KRB5CCNAME="FILE:$ccname" + ( + umask 077 + if cat "$cache" > "$ccname" 2>/dev/null; then + klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL + elif [ -n "$KRB5BASE64" ]; then + if [ -n "$KRB5OPENSSL" ]; then + builtin echo "$KRB5BASE64" | $KRB5OPENSSL enc -a -d -out "$ccname" + fi + unset KRB5BASE64 KRB5OPENSSL + else + # XXX: Don't kinit every time if we aren't root. + # TODO: Split the "set my cache" and "get my credentials" parts so + # that becoming a user other than root will work without + # extraneous kinits. + rm "$ccname" 2>/dev/null + fi + ) + trap "kdestroy 2>/dev/null" EXIT + fi fi fi fi + +unset cache ccname default ng +function kinit() { + local args= + local krb5ccname= + if [ -n "$KRB5CCNAME" ]; then + args="$@" + [ "${args/-c /}" = "$args" ] && krb5ccname="-c $KRB5CCNAME" + fi + ( builtin cd /; exec -c kinit $krb5ccname ${1+"$@"} ) +}