# Shell function library to initialize Kerberos credentials # # Note that while many of the functions in this library could benefit from # using "local" to avoid possibly hammering global variables, Solaris /bin/sh # doesn't support local and this library aspires to be portable to Solaris # Bourne shell. Instead, all private variables are prefixed with "tap_". # # The canonical version of this file is maintained in the rra-c-util package, # which can be found at <http://www.eyrie.org/~eagle/software/rra-c-util/>. # # Written by Russ Allbery <eagle@eyrie.org> # Copyright 2009, 2010, 2011, 2012 # The Board of Trustees of the Leland Stanford Junior University # # Permission is hereby granted, free of charge, to any person obtaining a # copy of this software and associated documentation files (the "Software"), # to deal in the Software without restriction, including without limitation # the rights to use, copy, modify, merge, publish, distribute, sublicense, # and/or sell copies of the Software, and to permit persons to whom the # Software is furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL # THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING # FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER # DEALINGS IN THE SOFTWARE. # We use test_tmpdir. . "${SOURCE}/tap/libtap.sh" # Set up Kerberos, including the ticket cache environment variable. Bail out # if not successful, return 0 if successful, and return 1 if Kerberos is not # configured. Sets the global principal variable to the principal to use. kerberos_setup () { tap_keytab=`test_file_path config/keytab` principal=`test_file_path config/principal` principal=`cat "$principal" 2>/dev/null` if [ -z "$tap_keytab" ] || [ -z "$principal" ] ; then return 1 fi KRB5CCNAME=`test_tmpdir`/krb5cc_test; export KRB5CCNAME kinit --no-afslog -k -t "$tap_keytab" "$principal" >/dev/null </dev/null status=$? if [ $status != 0 ] ; then kinit -k -t "$tap_keytab" "$principal" >/dev/null </dev/null status=$? fi if [ $status != 0 ] ; then kinit -t "$tap_keytab" "$principal" >/dev/null </dev/null status=$? fi if [ $status != 0 ] ; then kinit -k -K "$tap_keytab" "$principal" >/dev/null </dev/null status=$? fi if [ $status != 0 ] ; then bail "Can't get Kerberos tickets" fi return 0 } # Clean up at the end of a test. Currently only removes the ticket cache. kerberos_cleanup () { tap_tmp=`test_tmpdir` rm -f "$tap_tmp"/krb5cc_test } # List the contents of a keytab with enctypes and keys. This adjusts for the # difference between MIT Kerberos (which uses klist) and Heimdal (which uses # ktutil). Be careful to try klist first, since the ktutil on MIT Kerberos # may just hang. Takes the keytab to list and the file into which to save the # output, and strips off the header containing the file name. ktutil_list () { tap_tmp=`test_tmpdir` if klist -keK "$1" > "$tap_tmp"/ktutil-tmp 2>/dev/null ; then : else ktutil -k "$1" list --keys > "$tap_tmp"/ktutil-tmp </dev/null \ 2>/dev/null fi sed -e '/Keytab name:/d' -e "/^[^ ]*:/d" "$tap_tmp"/ktutil-tmp > "$2" rm -f "$tap_tmp"/ktutil-tmp }