diff options
author | Andreas Schneider <asn@cryptomilk.org> | 2020-11-13 14:44:39 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2020-11-13 14:47:37 +0100 |
commit | 088b94b6a51041c310ba166d2ef53ad5b86ec762 (patch) | |
tree | e9abf6078c19998ffd192c4589d9b6a1cf6150cf | |
parent | 751edc20d4ee399486c34b4760274ca209eec2fb (diff) | |
download | dotfiles-088b94b6a51041c310ba166d2ef53ad5b86ec762.tar.gz dotfiles-088b94b6a51041c310ba166d2ef53ad5b86ec762.tar.xz dotfiles-088b94b6a51041c310ba166d2ef53ad5b86ec762.zip |
krb5: Update the k tool!
-rwxr-xr-x | krb5/bin/k | 236 |
1 files changed, 167 insertions, 69 deletions
@@ -1,69 +1,167 @@ -#!/bin/bash - -redhat_princ="anschnei@REDHAT.COM" -fedora_princ="asn@FEDORAPROJECT.ORG" - -##### DO NOT TOUCH BELOW ##### - -princ= - -function usage() -{ - echo "Usage: $(basename $0) redhat|fedora" -} - -function run_cmd() -{ - local cmd="$@" - local ret=0 - - eval echo "$cmd" - out=$(eval $cmd) - ret=$? - - if [ $ret -ne 0 ]; then - return 1 - fi - - return 0 -} - -if [ $# != 1 ]; then - usage - exit 0 -fi - -case $1 in - redhat) - princ=$redhat_princ - ;; - fedora) - princ=$fedora_princ - ;; - *) - usage - exit 0 -esac - -run_cmd kswitch -p $princ -rc=$? - -if [ $rc -eq 0 ]; then - run_cmd klist -s - rc=$? - if [ $rc -ne 0 ]; then - run_cmd kdestroy -q - rc=1 - fi -fi - -count=3 -while [ $rc -eq 1 ]; do - if [ $count -eq 0 ]; then - break - fi - kinit $princ - rc=$? -done - -exit 0 +#!/usr/bin/env python3 + +####################################################################### +# +# A script to calibrate camera lenes for lensfun +# +# Copyright (c) 2012-2016 Torsten Bronger <bronger@physik.rwth-aachen.de> +# Copyright (c) 2018-2019 Andreas Schneider <asn@cryptomilk.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +####################################################################### +# +# Requires: python3-keepassxc-browser +# + +import os +import argparse +import socket +import subprocess + +from subprocess import DEVNULL +from keepassxc_browser import Connection, Identity, ProtocolError + + +def get_credentials(url, auth_id): + state_file = os.path.expanduser('~/.%s' % (auth_id)) + create_state_file = False + + if os.path.exists(state_file): + with open(state_file, 'r') as f: + data = f.read() + cred = Identity.unserialize(auth_id, data) + else: + cred = Identity(auth_id) + create_state_file = True + + c = Connection() + try: + c.connect() + except Exception as e: + print('ERROR: Failed to connect to keepassxc server.', e, file=sys.stderr) + exit(1) + + try: + c.change_public_keys(cred) + db_hash = c.get_database_hash(cred) + + if not c.test_associate(cred): + c.associate(cred) + except ProtocolError as e: + print('ERROR: Failed to associate credential exchange.', e, file=sys.stderr) + exit(1) + + if create_state_file: + with open(state_file, 'w') as f: + f.write(cred.serialize()) + + try: + entry = c.get_logins(cred, url=url) + except ProtocolError as e: + print('ERROR: Failed to get login for %s.' % url, e, file=sys.stderr) + exit(1) + + upn = entry[0]['login'] + password = entry[0]['password'] + + return upn, password + +def run_cmd(cmd): + try: + subprocess.check_call(cmd, stdout=DEVNULL, stderr=subprocess.STDOUT) + except subprocess.CalledProcessError: + return False + except OSError: + print("Could not find %s" % cmd) + return False + + return True + +def krb5_switch_upn(upn): + return run_cmd(['kswitch', '-p', upn]) + +def krb5_destroy_ticket(): + return run_cmd(['kdestroy', '-q']) + +def krb5_ticket_is_valid(): + return run_cmd(['klist', '-s']) + +def krb5_get_ticket(upn, password): + cmd = ['kinit', upn] + + try: + p = subprocess.Popen(cmd, + stdin=subprocess.PIPE, + stdout=DEVNULL, + stderr=subprocess.STDOUT) + p.communicate(input=password.encode()) + except subprocess.CalledProcessError: + return False + except OSError: + print("Could not find %s" % cmd) + return False + + return True + +def do_kinit(realm, auth_id): + upn, password = get_credentials('krb5://%s' % realm.upper(), auth_id) + + print("Switching to %s" % upn) + + ok = krb5_switch_upn(upn) + if ok: + if krb5_ticket_is_valid(): + return + else: + krb5_destroy_ticket() + + print("Doing kinit for %s" % upn) + + ok = krb5_get_ticket(upn, password) + if not ok: + print("Kinit failed for %s" % upn) + +class CustomDescriptionFormatter(argparse.ArgumentDefaultsHelpFormatter, + argparse.RawDescriptionHelpFormatter): + pass + +def main(): + description = ''' +This is a tool to get kerberos tickets with the credentials (upn, password) +stored in keepassxc. + +In KeepassXC: + + * Create a group Kerberos + * For each realm you want to authenticate with create an new entry with: + - Username: UPN (e.g. me@FEDORAPROJECT.ORG) + - Password: <your Kerberos password> + - URL: krb5://REALM (e.g. krb5://FEDORAPROJECT.ORG) + ''' + + parser = argparse.ArgumentParser(description=description, + formatter_class=CustomDescriptionFormatter) + + parser.add_argument('realm', metavar='REALM', type=str, + help='The REALM to do kinit for.') + + args = parser.parse_args() + + auth_id = ('kinit_tool_%s' % (socket.gethostname())) + + do_kinit(args.realm, auth_id) + +if __name__ == "__main__": + main() |