From f0d9cfcf3533f8c52bcb64fb0747a6fe6bf5674f Mon Sep 17 00:00:00 2001
From: gruoner <gruoner@github>
Date: Sun, 19 Jan 2025 14:03:33 +0100
Subject: [PATCH] with the KRB5 parameter one can use kerberos credentials to
 access SSH or RSYNC

---
 dev/debug_osync.sh | 18 ++++++++++++++----
 dev/n_osync.sh     | 11 ++++++++---
 dev/ofunctions.sh  |  7 ++++++-
 osync.sh           | 18 ++++++++++++++----
 sync.conf.example  |  3 +++
 5 files changed, 45 insertions(+), 12 deletions(-)

diff --git a/dev/debug_osync.sh b/dev/debug_osync.sh
index 9d37b56a4..a94e74172 100755
--- a/dev/debug_osync.sh
+++ b/dev/debug_osync.sh
@@ -683,7 +683,7 @@ function SendEmail {
 			encryption_string=
 		elif [ "$encryption" == "tls" ]; then
 			encryption_string=-starttls
-		elif [ "$encryption" == "ssl" ]:; then
+		elif [ "$encryption" == "ssl" ]; then
 			encryption_string=-ssl
 		fi
 		if [ "$smtpUser" != "" ] && [ "$smtpPassword" != "" ]; then
@@ -2118,6 +2118,11 @@ function PostInit {
 		SSH_CMD="$(type -p sshpass) -f $SSH_PASSWORD_FILE $(type -p ssh) $SSH_COMP -q $SSH_OPTS $REMOTE_USER@$REMOTE_HOST -p $REMOTE_PORT"
 		SCP_CMD="$(type -p sshpass) -f $SSH_PASSWORD_FILE $(type -p scp) $SSH_COMP -q -P $REMOTE_PORT"
 		RSYNC_SSH_CMD="$(type -p sshpass) -f $SSH_PASSWORD_FILE $(type -p ssh) $SSH_COMP -q $SSH_OPTS -p $REMOTE_PORT"
+  elif [ $KRB5 ]; then
+    SSH_PASSWORD=""
+    SSH_CMD="$(type -p ssh) $SSH_COMP -q $SSH_OPTS $REMOTE_USER@$REMOTE_HOST -p $REMOTE_PORT"
+    SCP_CMD="$(type -p scp) $SSH_COMP -q -P $REMOTE_PORT"
+    RSYNC_SSH_CMD="$(type -p ssh) $SSH_COMP -q $SSH_OPTS -p $REMOTE_PORT"
 	else
 		SSH_PASSWORD=""
 		SSH_CMD=""
@@ -2836,8 +2841,8 @@ function CheckCurrentConfigAll {
 		exit 1
 	fi
 
-	if [ "$REMOTE_OPERATION" == true ] && ([ ! -f "$SSH_RSA_PRIVATE_KEY" ] && [ ! -f "$SSH_PASSWORD_FILE" ]); then
-		Logger "Cannot find rsa private key [$SSH_RSA_PRIVATE_KEY] nor password file [$SSH_PASSWORD_FILE]. No authentication method provided." "CRITICAL"
+	if [ "$REMOTE_OPERATION" == true ] && ([ ! -f "$SSH_RSA_PRIVATE_KEY" ] && [ ! -f "$SSH_PASSWORD_FILE" ] && [ ! $KRB5 ]); then
+		Logger "Cannot find rsa private key [$SSH_RSA_PRIVATE_KEY] nor password file [$SSH_PASSWORD_FILE] nor KRB5CCFILE. No authentication method provided." "CRITICAL"
 		exit 1
 	fi
 
@@ -6617,6 +6622,7 @@ function Usage {
 	echo "--initiator=\"\"		 Master replica path. Will contain state and backup directory (is mandatory)"
 	echo "--target=\"\" 		 Local or remote target replica path. Can be a ssh uri like ssh://user@host.com:22//path/to/target/replica (is mandatory)"
 	echo "--rsakey=\"\"		 Alternative path to rsa private key for ssh connection to target replica"
+	echo "--krb5			              use KRB5 credential cache"
 	echo "--ssh-controlmaster      Allow using a single TCP connection for all ssh calls. Will make remote sync faster, but may fail easier on lossy links"
 	echo "--password-file=\"\"       If no rsa private key is used for ssh authentication, a password file can be used"
 	echo "--remote-token=\"\"        When using ssh filter protection, you must specify the remote token set in ssh_filter.sh"
@@ -6793,7 +6799,11 @@ function GetCommandlineArguments {
 			_DRYRUN=true
 			opts=$opts" --dry"
 			;;
-			--silent)
+			--krb5)
+			KRB5=true
+			opts=$opts" --krb5"
+			;;
+	    --silent)
 			_LOGGER_SILENT=true
 			opts=$opts" --silent"
 			;;
diff --git a/dev/n_osync.sh b/dev/n_osync.sh
index ef68e14ef..63d90ff64 100755
--- a/dev/n_osync.sh
+++ b/dev/n_osync.sh
@@ -234,8 +234,8 @@ function CheckCurrentConfigAll {
 		exit 1
 	fi
 
-	if [ "$REMOTE_OPERATION" == true ] && ([ ! -f "$SSH_RSA_PRIVATE_KEY" ] && [ ! -f "$SSH_PASSWORD_FILE" ]); then
-		Logger "Cannot find rsa private key [$SSH_RSA_PRIVATE_KEY] nor password file [$SSH_PASSWORD_FILE]. No authentication method provided." "CRITICAL"
+	if [ "$REMOTE_OPERATION" == true ] && ([ ! -f "$SSH_RSA_PRIVATE_KEY" ] && [ ! -f "$SSH_PASSWORD_FILE" ] && [ ! $KRB5 ]); then
+		Logger "Cannot find rsa private key [$SSH_RSA_PRIVATE_KEY] nor password file [$SSH_PASSWORD_FILE] nor KRB5CCFILE. No authentication method provided." "CRITICAL"
 		exit 1
 	fi
 
@@ -2918,6 +2918,7 @@ function Usage {
 	echo "--initiator=\"\"		 Master replica path. Will contain state and backup directory (is mandatory)"
 	echo "--target=\"\" 		 Local or remote target replica path. Can be a ssh uri like ssh://user@host.com:22//path/to/target/replica (is mandatory)"
 	echo "--rsakey=\"\"		 Alternative path to rsa private key for ssh connection to target replica"
+	echo "--krb5			              use KRB5 credential cache"
 	echo "--ssh-controlmaster      Allow using a single TCP connection for all ssh calls. Will make remote sync faster, but may fail easier on lossy links"
 	echo "--password-file=\"\"       If no rsa private key is used for ssh authentication, a password file can be used"
 	echo "--remote-token=\"\"        When using ssh filter protection, you must specify the remote token set in ssh_filter.sh"
@@ -3094,7 +3095,11 @@ function GetCommandlineArguments {
 			_DRYRUN=true
 			opts=$opts" --dry"
 			;;
-			--silent)
+			--krb5)
+			KRB5=true
+			opts=$opts" --krb5"
+			;;
+	    --silent)
 			_LOGGER_SILENT=true
 			opts=$opts" --silent"
 			;;
diff --git a/dev/ofunctions.sh b/dev/ofunctions.sh
index a1a3235d9..4e9685d79 100755
--- a/dev/ofunctions.sh
+++ b/dev/ofunctions.sh
@@ -691,7 +691,7 @@ function SendEmail {
 			encryption_string=
 		elif [ "$encryption" == "tls" ]; then
 			encryption_string=-starttls
-		elif [ "$encryption" == "ssl" ]:; then
+		elif [ "$encryption" == "ssl" ]; then
 			encryption_string=-ssl
 		fi
 		if [ "$smtpUser" != "" ] && [ "$smtpPassword" != "" ]; then
@@ -2139,6 +2139,11 @@ function PostInit {
 		SSH_CMD="$(type -p sshpass) -f $SSH_PASSWORD_FILE $(type -p ssh) $SSH_COMP -q $SSH_OPTS $REMOTE_USER@$REMOTE_HOST -p $REMOTE_PORT"
 		SCP_CMD="$(type -p sshpass) -f $SSH_PASSWORD_FILE $(type -p scp) $SSH_COMP -q -P $REMOTE_PORT"
 		RSYNC_SSH_CMD="$(type -p sshpass) -f $SSH_PASSWORD_FILE $(type -p ssh) $SSH_COMP -q $SSH_OPTS -p $REMOTE_PORT"
+  elif [ $KRB5 ]; then
+    SSH_PASSWORD=""
+    SSH_CMD="$(type -p ssh) $SSH_COMP -q $SSH_OPTS $REMOTE_USER@$REMOTE_HOST -p $REMOTE_PORT"
+    SCP_CMD="$(type -p scp) $SSH_COMP -q -P $REMOTE_PORT"
+    RSYNC_SSH_CMD="$(type -p ssh) $SSH_COMP -q $SSH_OPTS -p $REMOTE_PORT"
 	else
 		SSH_PASSWORD=""
 		SSH_CMD=""
diff --git a/osync.sh b/osync.sh
index 0d486f595..ff0c0f8cd 100755
--- a/osync.sh
+++ b/osync.sh
@@ -636,7 +636,7 @@ function SendEmail {
 			encryption_string=
 		elif [ "$encryption" == "tls" ]; then
 			encryption_string=-starttls
-		elif [ "$encryption" == "ssl" ]:; then
+		elif [ "$encryption" == "ssl" ]; then
 			encryption_string=-ssl
 		fi
 		if [ "$smtpUser" != "" ] && [ "$smtpPassword" != "" ]; then
@@ -1970,6 +1970,11 @@ function PostInit {
 		SSH_CMD="$(type -p sshpass) -f $SSH_PASSWORD_FILE $(type -p ssh) $SSH_COMP -q $SSH_OPTS $REMOTE_USER@$REMOTE_HOST -p $REMOTE_PORT"
 		SCP_CMD="$(type -p sshpass) -f $SSH_PASSWORD_FILE $(type -p scp) $SSH_COMP -q -P $REMOTE_PORT"
 		RSYNC_SSH_CMD="$(type -p sshpass) -f $SSH_PASSWORD_FILE $(type -p ssh) $SSH_COMP -q $SSH_OPTS -p $REMOTE_PORT"
+  elif [ $KRB5 ]; then
+    SSH_PASSWORD=""
+    SSH_CMD="$(type -p ssh) $SSH_COMP -q $SSH_OPTS $REMOTE_USER@$REMOTE_HOST -p $REMOTE_PORT"
+    SCP_CMD="$(type -p scp) $SSH_COMP -q -P $REMOTE_PORT"
+    RSYNC_SSH_CMD="$(type -p ssh) $SSH_COMP -q $SSH_OPTS -p $REMOTE_PORT"
 	else
 		SSH_PASSWORD=""
 		SSH_CMD=""
@@ -2683,8 +2688,8 @@ function CheckCurrentConfigAll {
 		exit 1
 	fi
 
-	if [ "$REMOTE_OPERATION" == true ] && ([ ! -f "$SSH_RSA_PRIVATE_KEY" ] && [ ! -f "$SSH_PASSWORD_FILE" ]); then
-		Logger "Cannot find rsa private key [$SSH_RSA_PRIVATE_KEY] nor password file [$SSH_PASSWORD_FILE]. No authentication method provided." "CRITICAL"
+	if [ "$REMOTE_OPERATION" == true ] && ([ ! -f "$SSH_RSA_PRIVATE_KEY" ] && [ ! -f "$SSH_PASSWORD_FILE" ] && [ ! $KRB5 ]); then
+		Logger "Cannot find rsa private key [$SSH_RSA_PRIVATE_KEY] nor password file [$SSH_PASSWORD_FILE] nor KRB5CCFILE. No authentication method provided." "CRITICAL"
 		exit 1
 	fi
 
@@ -6375,6 +6380,7 @@ function Usage {
 	echo "--initiator=\"\"		 Master replica path. Will contain state and backup directory (is mandatory)"
 	echo "--target=\"\" 		 Local or remote target replica path. Can be a ssh uri like ssh://user@host.com:22//path/to/target/replica (is mandatory)"
 	echo "--rsakey=\"\"		 Alternative path to rsa private key for ssh connection to target replica"
+	echo "--krb5			              use KRB5 credential cache"
 	echo "--ssh-controlmaster      Allow using a single TCP connection for all ssh calls. Will make remote sync faster, but may fail easier on lossy links"
 	echo "--password-file=\"\"       If no rsa private key is used for ssh authentication, a password file can be used"
 	echo "--remote-token=\"\"        When using ssh filter protection, you must specify the remote token set in ssh_filter.sh"
@@ -6550,7 +6556,11 @@ function GetCommandlineArguments {
 			_DRYRUN=true
 			opts=$opts" --dry"
 			;;
-			--silent)
+			--krb5)
+			KRB5=true
+			opts=$opts" --krb5"
+			;;
+	    --silent)
 			_LOGGER_SILENT=true
 			opts=$opts" --silent"
 			;;
diff --git a/sync.conf.example b/sync.conf.example
index aa42c593c..0bb252960 100644
--- a/sync.conf.example
+++ b/sync.conf.example
@@ -21,6 +21,9 @@ SSH_RSA_PRIVATE_KEY="/home/backupuser/.ssh/id_rsa"
 ## Alternatively, you may specify an SSH password file (less secure). Needs sshpass utility installed.
 SSH_PASSWORD_FILE=""
 
+## use the KRB5 credential cache to access SSH or rsync
+#KRB5=true
+
 ## When using ssh filter, you must specify a remote token matching the one setup in authorized_keys
 _REMOTE_TOKEN=SomeAlphaNumericToken9