From Marc Mengel (9/17/01) __________________________ I have a script "k5push" to push local tickets to remote machines. [attached] Basically it use kerberos-rsh to go to the remote system, and updates ticket cache files in /tmp with the new tickets. You can also do k5push user@host if you go in as a different user, but be aware that if it's a shared account, you'll be possibly updating other folks ticket files with your tickets. It makes quite a few checks to make sure that the ticket file is really one of yours, and belongs to a running session. You can also keep a list of systems to update, and do k5push -f file whenever you do a kinit. #!/bin/sh if [ "$1" = "-d" ] then set -x debugflag=x shift else debugflag= fi if [ $# -lt 1 ] then echo "usage: $0 [-d] [-c cycletime] [-f file] [[user@]host ...]" >&2 echo "to push kerberos tickets from here to sessions on host1 host2 ..." >&2 echo "-d turns on debugging" >&2 echo "-c check for updated ticket every cycletime seconds" >&2 echo "-f specify file containg [user@]host list" >&2 exit 1 fi listfile="" repeatflag=0 while : do case "x$1" in x-f) listfile=$2; shift; shift;; x-c) repeatflag=1; delay=$2; shift; shift;; *) break;; esac done if [ "$repeatflag" = 1 ] then output="`klist -f | head -5`" fi firsttime=1 while [ $firsttime = 1 -o $repeatflag = 1 ] do firsttime=0 if [ $repeatflag = 1 ] then # wait for ticket cache to be updated newoutput="`klist -f | head -5`" while [ "$newoutput" = "$output" ] do sleep $delay newoutput="`klist -f | head -5`" done output="$newoutput" fi if [ "x$listfile" != "x" ] then set `cat $listfile` fi for host_user in "$@" do case "$host_user" in *@*)cmd="`echo $host_user | sed -e 's/\(.*\)@\(.*\)/host=\2;user=\1/'`" eval "$cmd" uargs="-l $user" ;; *) host=$host_user; user=$USER uargs="" esac # # the block we rsh is a little convoluted: # Get the list of pid-cache-file candidates # keep any mentioning our username # filter: # cut out any symlinks # trim everything up to /tmp/ # filter again: # skip our current credential file # any filenames which still have our username # (beware of Geeks Bearing Gifts) # loop through results each as $file # check what sort of file # /tmp/krb5cc_p* -> valid if pid is a kshd # continue otheriwse # /tmp/krb5cc_ -> valid if tty exists and USER's # continue otheriwse # print a message # copy the current creds to that file # (/usr/krb5/bin/rsh $uargs -F $host /bin/sh -${debugflag} 2>&1 | cat) << 'EOF' PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/bsd:/usr/ucb export PATH cd /tmp if ls -ld . | grep -v '^drwxrwxrwt' > /dev/null then echo "Skipping `hostname` due to bad modes on /tmp" exit fi echo Updating keys for $USER on `hostname` curcred=`echo $KRB5CCNAME | sed -e sxFILE:xx -e sx/tmp/xx` credls="`ls -l ./krb5cc_* | grep ' '$USER' '`" credfiles="`echo "$credls" | grep -v '^l' | cut -f 2 -d / `" credfiles="`echo "$credfiles" | grep -v $curcred | grep -v ' '$USER' '`" for file in $credfiles do case $file in *_p*) pid=`echo $file | sed -e sx.*krb5cc_pxx` if (ps $pid 2>/dev/null || ps -p $pid 2>/dev/null) | sed -e "s/^/found: $file => /" | egrep 'kshd|klogind|telnetd|sshd' then echo updating $file cp ./$curcred ./$file fi ;; *) tty=`echo $file | sed -e sx.*krb5cc_xx` if ls -Ll /dev/$tty /dev/pts/$tty 2>/dev/null | sed -e "s/^/found: $file => /" | grep $USER then echo updating $file cp ./$curcred ./$file fi ;; esac done /usr/krb5/bin/kdestroy EOF done done