thsutton · February 23, 2022 22:37
diff --git a/vault-get-keytab.sh b/vault-get-keytab.sh
 #!/bin/sh

 # vault-get-keytab
 #
 # Rather than verify that it’s exactly the keytab we expect, this script checks that it is
 # (or appears to be) a keytab for the required principal.

 set -eu

 $vault_path=“$1”
 $principal=“$2”
 $target=“$3”

 F=$(mktemp -s /tmp/keytab.XXXXXX)
 trap ... “rm -f $F”

 chmod 600 $F

 vault read --field token “$vault_path” | base64 --decode > $F
 # should we test that we CAN get a ticket? Or that we OUGHT to be able to?
 kinit -kt $F “$principal”
 kdestroy -q
 # or: klist -kt “$F” | grep -q “$principal” 

 mv “$F” “$target”
	#!/bin/sh

	# vault-get-keytab
	#
	# Rather than verify that it’s exactly the keytab we expect, this script checks that it is
	# (or appears to be) a keytab for the required principal.

	set -eu

	$vault_path=“$1”
	$principal=“$2”
	$target=“$3”

	F=$(mktemp -s /tmp/keytab.XXXXXX)
	trap ... “rm -f $F”

	chmod 600 $F

	vault read --field token “$vault_path” \| base64 --decode > $F
	# should we test that we CAN get a ticket? Or that we OUGHT to be able to?
	kinit -kt $F “$principal”
	kdestroy -q
	# or: klist -kt “$F” \| grep -q “$principal”

	mv “$F” “$target”