Skip to content

Instantly share code, notes, and snippets.

@kwk

kwk/README.md

Last active November 29, 2023 16:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kwk/3a8ce115bf41ab5e9fb5a8b832988604 to your computer and use it in GitHub Desktop.
Save kwk/3a8ce115bf41ab5e9fb5a8b832988604 to your computer and use it in GitHub Desktop.
Download ZIP
Automate getting Kerberos tickets with kinit using secret-tool
Raw
README.md

README

I often have to get multiple Kerberos tickets and I do this with kinit kkleine@REDHAT.COM for example. Then I have to enter my password. This is annoying. The script kinit-wrapper helps me use the secret-tool to store passwords in the default keyring on the first run and later pull them out of the keyring.

First run

Here's an example of a first run:

$ kinit-wrapper 
Checking for password for principal "kkleine@REDHAT.COM"...NO PASSWORD FOUND. Please, enter it in the next step!
Password: 
Attempting to get a Kerberos token for principal "kkleine@REDHAT.COM"...OK
Checking for password for principal "kkleine@IPA.REDHAT.COM"...NO PASSWORD FOUND. Please, enter it in the next step!
Password: 
Attempting to get a Kerberos token for principal "kkleine@IPA.REDHAT.COM"...OK
Checking for password for principal "kkleine@FEDORAPROJECT.ORG"...NO PASSWORD FOUND. Please, enter it in the next step!
Password: 
Attempting to get a Kerberos token for principal "kkleine@FEDORAPROJECT.ORG"...OK

Second run

On a second run, I'm not asked for the password which is nice:

$ kdestroy -A && kinit-wrapper
Checking for password for principal "kkleine@REDHAT.COM"...FOUND
Attempting to get a Kerberos token for principal "kkleine@REDHAT.COM"...OK
Checking for password for principal "kkleine@IPA.REDHAT.COM"...FOUND
Attempting to get a Kerberos token for principal "kkleine@IPA.REDHAT.COM"...OK
Checking for password for principal "kkleine@FEDORAPROJECT.ORG"...FOUND
Attempting to get a Kerberos token for principal "kkleine@FEDORAPROJECT.ORG"...OK

Error

In case there's an error getting a Kerberos token, we'll tell you and assume that most likely you've mistyped your password:

$ kdestroy -A && kinit-wrapper 
Checking for password for principal "kkleine@REDHAT.COM"...FOUND
Attempting to get a Kerberos token for principal "kkleine@REDHAT.COM"...ERROR
Shall we remove the secret for principal "kkleine@REDHAT.COM" so that you can enter it again on the next run? (Y/N): Y
Removing password for principal "kkleine@REDHAT.COM".
Now run kinit-wrapper again!

When you run kinit-wrapper again it will prompt for the password for that prinicipal again.

Raw
kinit-wrapper.sh
#!/bin/bash
# Purpose: Get multiple kerberos tokens without having to enter passwords all the time.
# Author: Konrad Kleine
set +x
LANG=en_EN
principals=()
# TODO: Add your Kerberos principals here:
principals+=(kkleine@REDHAT.COM)
principals+=(kkleine@IPA.REDHAT.COM)
principals+=(kkleine@FEDORAPROJECT.ORG)
# Optionally uncomment this if you want to be reminded about connecting to VPN first.
#host ldap.corp.redhat.com >/dev/null 2>&1 || {
# echo "ERROR: Must be connected to the Red Hat VPN first!" 2>&1
# exit 1
#}
for principal in ${principals[@]}; do
key_name=krb_$principal
echo -n "Checking for password for principal \"$principal\"..."
secret-tool search label $key_name 2>&1 | grep attribute.label >/dev/null 2>&1
if [[ $? != 0 ]]; then
echo "NO PASSWORD FOUND. Please, enter it in the next step!"
secret-tool store --label="$key_name" \
label $key_name \
uuid $(uuidgen) created "$(date)"
else
echo "FOUND"
fi
echo -n "Attempting to get a Kerberos token for principal \"$principal\"..."
secret-tool lookup label $key_name | /usr/bin/kinit $principal > /dev/null 2>&1
if [[ $? != 0 ]]; then
echo "ERROR"
while true; do
read -r -p "Shall we remove the secret for principal \"$principal\" so that you can enter it again on the next run? (Y/N): " answer
case $answer in
[Yy]* )
echo "Removing password for principal \"$principal\"".
secret-tool clear label $key_name;
echo "Now run $(basename $0) again!"
break;;
[Nn]* )
echo "Exiting"
exit 1;;
* ) echo "Please answer Y or N.";;
esac
done
exit 1
else
echo "OK"
fi
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment