Assumption is that you have a cron job doing kinit -R every few hours which will take care of renewing an existing tgt. We do -H 1 on k5sta

8/19/2016 - 7:43 PM

Assumption is that you have a cron job doing kinit -R every few hours which will take care of renewing an existing tgt. We do -H 1 on k5sta

Assumption is that you have a cron job doing kinit -R every few hours which will take care of renewing an existing tgt. We do -H 1 on k5start only to let k5start decide if a tgt already exists.

tty-krb-auth.bash

tty_krb_auth () {
  # Interactive Kerberos authentication letting k5start decide if a tgt exists.
  # Somewhat assumed cron kinit -R is handling renewal. Otherwise, you'd
  # probably want to up the k5start happy ticket minutes.
  
  local upn="$1" # Service principal name with which to kinit, e.g., 'name' or
    # 'name@REALM'.

  local k5start_args='-H 1 -l 7d'
  [[ -n $upn ]] && k5start_args+=" $upn"

  local k5start_stderr=

  until k5start_stderr=$(k5start $k5start_args 2>&1 >/dev/tty); do
    printf "%s: %s\n" "$FUNCNAME" "$k5start_stderr" >&2
    case "$k5start_stderr" in
      'k5start: error getting credentials: Preauthentication failed' )
        local keypress=
        read -rsn 1 -p $'Press c to cancel. Any other key to try again.\n' \
          keypress
        [[ $keypress != c ]] || return 1 
        ;;
      * )
        return 1
        ;;
    esac
  done
}

Cacher is the code snippet organizer for pro developers

We empower you and your team to get more done, faster

Assumption is that you have a cron job doing kinit -R every few hours which will take care of renewing an existing tgt. We do -H 1 on k5sta