Automate getting Kerberos tickets with kinit using secret-tool

README.md

README

I often have to get multiple Kerberos tickets and I do this with kinit [email protected] for example. Then I have to enter my password. This is annoying. The script kinit-wrapper helps me use the secret-tool to store passwords in the default keyring on the first run and later pull them out of the keyring.

First run

Here's an example of a first run:

$ kinit-wrapper 
Checking for password for principal "[email protected]"...NO PASSWORD FOUND. Please, enter it in the next step!
Password: 
Attempting to get a Kerberos token for principal "[email protected]"...OK
Checking for password for principal "[email protected]"...NO PASSWORD FOUND. Please, enter it in the next step!
Password: 
Attempting to get a Kerberos token for principal "[email protected]"...OK
Checking for password for principal "[email protected]"...NO PASSWORD FOUND. Please, enter it in the next step!
Password: 
Attempting to get a Kerberos token for principal "[email protected]"...OK

Second run

On a second run, I'm not asked for the password which is nice:

$ kdestroy -A && kinit-wrapper
Checking for password for principal "[email protected]"...FOUND
Attempting to get a Kerberos token for principal "[email protected]"...OK
Checking for password for principal "[email protected]"...FOUND
Attempting to get a Kerberos token for principal "[email protected]"...OK
Checking for password for principal "[email protected]"...FOUND
Attempting to get a Kerberos token for principal "[email protected]"...OK

Error

In case there's an error getting a Kerberos token, we'll tell you and assume that most likely you've mistyped your password:

$ kdestroy -A && kinit-wrapper 
Checking for password for principal "[email protected]"...FOUND
Attempting to get a Kerberos token for principal "[email protected]"...ERROR
Shall we remove the secret for principal "[email protected]" so that you can enter it again on the next run? (Y/N): Y
Removing password for principal "[email protected]".
Now run kinit-wrapper again!

When you run kinit-wrapper again it will prompt for the password for that prinicipal again.

kinit-wrapper.sh

#!/bin/bash

# Purpose: Get multiple kerberos tokens without having to enter passwords all the time.
# Author: Konrad Kleine

set +x

LANG=en_EN

principals=()

# TODO: Add your Kerberos principals here:
principals+=([email protected])
principals+=([email protected])
principals+=([email protected])

# Optionally uncomment this if you want to be reminded about connecting to VPN first.
#host ldap.corp.redhat.com >/dev/null 2>&1 || { 
#  echo "ERROR: Must be connected to the Red Hat VPN first!" 2>&1
#  exit 1
#}

for principal in ${principals[@]}; do 
  key_name=krb_$principal
  
  echo -n "Checking for password for principal \"$principal\"..."
  secret-tool search label $key_name 2>&1 | grep attribute.label >/dev/null 2>&1
  
  if [[ $? != 0 ]]; then
    echo "NO PASSWORD FOUND. Please, enter it in the next step!"
    secret-tool store --label="$key_name" \
      label $key_name \
      uuid $(uuidgen) created "$(date)"
  else
    echo "FOUND"
  fi

  echo -n "Attempting to get a Kerberos token for principal \"$principal\"..."
  secret-tool lookup label $key_name | /usr/bin/kinit $principal > /dev/null 2>&1
  if [[ $? != 0 ]]; then
    echo "ERROR"
    while true; do
        read -r -p "Shall we remove the secret for principal \"$principal\" so that you can enter it again on the next run? (Y/N): " answer
        case $answer in
            [Yy]* )
              echo "Removing password for principal \"$principal\"".
              secret-tool clear label $key_name;
              echo "Now run $(basename $0) again!"
              break;;
            [Nn]* ) 
              echo "Exiting"
              exit 1;;
            * ) echo "Please answer Y or N.";;
        esac
    done
    exit 1
  else
    echo "OK"
  fi
done