If you’re familiar with Kerberos, one way to check if a ticket is valid is to run
❯ klist Ticket cache: FILE:/tmp/krb5cc_1001 Default principal: username@UNIVERSITY.EDU.AU Valid starting Expires Service principal 02/07/21 11:26:50 02/07/21 21:26:50 krbtgt/UNIVERSITY.EDU.AU@UNIVERSITY.EDU.AU renew until 03/07/21 11:26:50 02/07/21 12:24:07 02/07/21 21:26:50 cifs/server1.UNIVERSITY.edu.au@UNIVERSITY.EDU.AU 02/07/21 12:24:07 02/07/21 21:26:50 cifs/server1.UNIVERSITY.edu.au@UNIVERSITY.EDU.AU ❯ date Mon 05 Jul 2021 16:01:59 AEST
From the above output, the principal ticket expired since 2 Jul. So how do we find out if the Kerberos (principal) ticket expires programmatically? This is something that I was trying to find out a few years ago, but kinda have been forgotten due to low priority.
Anyway, it turns out that we can also use
klist command to do this, but how?. According to the
man page for
klist, we can use
-s flag for this purpose.
❯ man klist | grep -- '-s ' -s Causes klist to run silently (produce no output). klist will exit with status 1 if the credentials cache cannot be read or is expired,
So let’s try it.
❯ klist -s ❯ echo $? 1
Look at that! Well, let’s renew the kerberos ticket and then verify with the
❯ kinit Password for username@UNIVERSITY.EDU.AU: ❯ klist -s; echo $? 0
Awesome. I think I just solved my own puzzle. I’ll leave you the links below if you want to read more about the
klist -s as well as a cool way to search the output of the man page as i did in
man klist | grep -- '-s '.