Check Exit Status Code for Kerberos Ticket Validity

If you’re familiar with Kerberos, one way to check if a ticket is valid is to run klist command.

❯ klist 
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: username@UNIVERSITY.EDU.AU

Valid starting     Expires            Service principal
02/07/21 11:26:50  02/07/21 21:26:50  krbtgt/UNIVERSITY.EDU.AU@UNIVERSITY.EDU.AU
        renew until 03/07/21 11:26:50
02/07/21 12:24:07  02/07/21 21:26:50  cifs/server1.UNIVERSITY.edu.au@UNIVERSITY.EDU.AU
02/07/21 12:24:07  02/07/21 21:26:50  cifs/server1.UNIVERSITY.edu.au@UNIVERSITY.EDU.AU

❯ date
Mon 05 Jul 2021 16:01:59 AEST

From the above output, the principal ticket expired since 2 Jul. So how do we find out if the Kerberos (principal) ticket expires programmatically? This is something that I was trying to find out a few years ago, but kinda have been forgotten due to low priority.

Anyway, it turns out that we can also use klist command to do this, but how?. According to the man page for klist, we can use -s flag for this purpose.

❯ man klist | grep -- '-s    '
       -s     Causes klist to run silently (produce no output).  klist will exit with status 1 if the credentials cache cannot be read or  is  expired,

So let’s try it.

❯ klist -s 
❯ echo $?
1

Look at that! Well, let’s renew the kerberos ticket and then verify with the klist -s.

❯ kinit
Password for username@UNIVERSITY.EDU.AU: 
❯ klist -s; echo $?
0

Awesome. I think I just solved my own puzzle. I’ll leave you the links below if you want to read more about the klist -s as well as a cool way to search the output of the man page as i did in man klist | grep -- '-s '.

• How do I check (in shell) whether I have a valid Kerberos ticket for a specific service?
• How to search Linux man pages (e.g. with grep)