X-Git-Url: http://git.iain.cx/?p=profile.git;a=blobdiff_plain;f=.profile.d%2Fkrb5.bashrc;h=9c56dda0baad256d8a16b32c24bb805f6468970f;hp=973101f3c012796b5535d75f42889c29f9c3b963;hb=48f30af664cf57c765a763eea7c652da92d66c27;hpb=be06f9cecd3d053c651c03cd4bec7b51f9494a90

diff --git a/.profile.d/krb5.bashrc b/.profile.d/krb5.bashrc
index 973101f..9c56dda 100644
--- a/.profile.d/krb5.bashrc
+++ b/.profile.d/krb5.bashrc
@@ -1,8 +1,14 @@
 alias kssh='ssh -o preferredauthentications=gssapi-with-mic'
 alias pssh='ssh -o preferredauthentications=password,keyboard-interactive'
 
-if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
-  if tty -s; then
+unalias kinit 2>/dev/null
+if [ 1 = 0 -a -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
+  if [ -t 0 ]; then
+    # Canonicalise the cache name.
+    if [ -n "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then
+      export KRB5CCNAME="FILE:$KRB5CCNAME"
+    fi
+
     if [ ! "$SUDO_UID" ]; then
       if klist -s 2>/dev/null; then
         # We already have a ticket cache.  Renew it.
@@ -59,17 +65,25 @@ if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
       # Don't break permissions of inherited cache under sudo.
       cache="${KRB5CCNAME##FILE:}"
       if [ ! "$cache" = "$KRB5CCNAME" ]; then
-        ccname="${cache/_$SUDO_UID/_sudo_$SUDO_UID}_$$"
+        ccname="${cache/_$SUDO_UID/_${UID}_sudo_$SUDO_UID}_$$"
         export KRB5CCNAME="FILE:$ccname"
-        if cat "$cache" > "$ccname" 2>/dev/null; then
-          klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL
-        else
-          # XXX: Don't kinit every time if we aren't root.
-          # TODO: Split the "set my cache" and "get my credentials" parts so
-          #       that becoming a user other than root will work without
-          #       extraneous kinits.
-          rm "$ccname" 2>/dev/null
-        fi
+        (
+          umask 077
+          if cat "$cache" > "$ccname" 2>/dev/null; then
+            klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL
+          elif [ -n "$KRB5BASE64" ]; then
+            if [ -n "$KRB5OPENSSL" ]; then
+              builtin echo "$KRB5BASE64" | $KRB5OPENSSL enc -a -d -out "$ccname"
+            fi
+            unset KRB5BASE64 KRB5OPENSSL
+          else
+            # XXX: Don't kinit every time if we aren't root.
+            # TODO: Split the "set my cache" and "get my credentials" parts so
+            #       that becoming a user other than root will work without
+            #       extraneous kinits.
+            rm "$ccname" 2>/dev/null
+          fi
+        )
         trap "kdestroy 2>/dev/null" EXIT
       fi
     fi
@@ -77,3 +91,12 @@ if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
 fi
 
 unset cache ccname default ng
+function kinit() {
+  local args=
+  local krb5ccname=
+  if [ -n "$KRB5CCNAME" ]; then
+    args="$@"
+    [ "${args/-c /}" = "$args" ] && krb5ccname="-c $KRB5CCNAME"
+  fi
+  ( builtin cd /; exec -c kinit $krb5ccname ${1+"$@"} )
+}