tty_krb_auth () {
# Interactive Kerberos authentication letting k5start decide if a tgt exists.
# Somewhat assumed cron kinit -R is handling renewal. Otherwise, you'd
# probably want to up the k5start happy ticket minutes.
local upn="$1" # Service principal name with which to kinit, e.g., 'name' or
# 'name@REALM'.
local k5start_args='-H 1 -l 7d'
[[ -n $upn ]] && k5start_args+=" $upn"
local k5start_stderr=
until k5start_stderr=$(k5start $k5start_args 2>&1 >/dev/tty); do
printf "%s: %s\n" "$FUNCNAME" "$k5start_stderr" >&2
case "$k5start_stderr" in
'k5start: error getting credentials: Preauthentication failed' )
local keypress=
read -rsn 1 -p $'Press c to cancel. Any other key to try again.\n' \
keypress
[[ $keypress != c ]] || return 1
;;
* )
return 1
;;
esac
done
}