1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • Is there a "batchable" way to do ktutil list

    From Dan Mahoney (Gushi)@21:1/5 to All on Wed Apr 21 00:56:39 2021
    All,

    Dayjob has a puppet fact that, under freeBSD, uses "ktutil list" to get
    the kvno of a given host. This works great because the heimdal kerberos
    that's built into freeBSD is what we like to parse. It takes a -k
    argument to specify a keytab file.

    Linux is another story. Under ubuntu, the mit version of ktutil gets installed, and I can't figure out how to script it easily. There are no documented ways to pass an arg, or even to print the version. (We can
    glean it by looking at installed packages).

    Is there another command that is more script-friendly? If not, can
    someone share a good way to pass args to the MIT ktutil?

    -Dan



    --

    --------Dan Mahoney--------
    Techie, Sysadmin, WebGeek
    Gushi on efnet/undernet IRC
    FB: fb.com/DanielMahoneyIV
    LI: linkedin.com/in/gushi
    Site: http://www.gushi.org
    ---------------------------

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Predrag Zecevic@21:1/5 to All on Wed Apr 21 10:18:57 2021
    On 21.04.2021 09:56, Dan Mahoney (Gushi) wrote:
    All,

    Dayjob has a puppet fact that, under freeBSD, uses "ktutil list" to get
    the kvno of a given host. This works great because the heimdal kerberos that's built into freeBSD is what we like to parse. It takes a -k
    argument to specify a keytab file.

    Linux is another story. Under ubuntu, the mit version of ktutil gets installed, and I can't figure out how to script it easily. There are no documented ways to pass an arg, or even to print the version. (We can
    glean it by looking at installed packages).

    Is there another command that is more script-friendly? If not, can
    someone share a good way to pass args to the MIT ktutil?

    -Dan



    Hi Dan,

    try to use *expect* tool, that is what I use...

    Steps:
    1: run once ktutil (under expect, which will save terminal actions)
    2: call it in batch, like this (this is example of creating keytab, you
    have to adopt script -- do no use it blindly):
    ---8<------
    cat << EOEXPECT > /tmp/create-${TABLE}.keytab.exp
    set force_conservative 0 ;# set to 1 to force conservative mode even if
    script wasn't run conservatively originally
    if {\$force_conservative} {
    set send_slow {1 .1}
    proc send {ignore arg} {
    sleep .1
    exp_send -s -- \$arg
    }
    }

    set timeout -1
    spawn \$env(SHELL)
    match_max 100000
    expect " "
    send -- "ktutil"
    expect -exact "ktutil"
    send -- "\r"
    expect -exact "ktutil: "
    send -- "addent -password -p ${1} -k 1 -e aes256-cts-hmac-sha1-96"
    expect -exact "addent -password -p ${1} -k 1 -e aes256-cts-hmac-sha1-96"
    send -- "\r"
    ...
    expect eof
    EOEXPECT

    # Create keytab
    expect -f /tmp/create-${TABLE}.keytab.exp
    ---8<------

    HTH

    Best regards.
    --
    Predrag Zečević
    Technical Support Analyst
    2e Systems GmbH

    tel: +49 - 6196 - 95058 - 15
    mob: +49 - 174 - 3109288
    fax: +49 - 6196 - 95058 - 94
    e-mail: predrag.zecevic@2e-systems.com

    headquarter: 2e Systems GmbH, Koenigsteiner Str. 107, 65812 Bad Soden am Taunus, Germany
    registration: Amtsgericht Koenigstein (Germany), HRB 7303
    managing director: Phil Douglas

    http://www.2e-systems.com/ - Making your business fly!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Hudson@21:1/5 to Dan Mahoney (Gushi) on Wed Apr 21 05:00:46 2021
    To: kerberos@mit.edu

    On 4/21/21 3:56 AM, Dan Mahoney (Gushi) wrote:> Dayjob has a puppet fact
    that, under freeBSD, uses "ktutil list" to get
    the kvno of a given host.
    [...]
    Is there another command that is more script-friendly? If not, can
    someone share a good way to pass args to the MIT ktutil?

    I think you want klist -k. (Dameon suggested k5srvutil; its "list"
    subcommand just runs klist -k.)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dameon Wagner@21:1/5 to All on Wed Apr 21 09:15:53 2021
    On Wed, Apr 21 2021 at 00:56:39 -0700, Dan Mahoney (Gushi) scribbled
    in "Is there a "batchable" way to do ktutil list":
    All,

    Dayjob has a puppet fact that, under freeBSD, uses "ktutil list" to get
    the kvno of a given host. This works great because the heimdal kerberos that's built into freeBSD is what we like to parse. It takes a -k
    argument to specify a keytab file.

    Linux is another story. Under ubuntu, the mit version of ktutil gets installed, and I can't figure out how to script it easily. There are no documented ways to pass an arg, or even to print the version. (We can
    glean it by looking at installed packages).

    Is there another command that is more script-friendly? If not, can
    someone share a good way to pass args to the MIT ktutil?

    If you want the "true" kvno value, from a KDC, then the `kvno` tool
    will return the results you want.

    I you want the kvno values from within a keytab, like ktutil would
    provide, then I'd look at the `k5srvutil` tool, which will take
    subcommands and arguments for passing in the path to a keytab.

    Cheers.

    Dameon.

    --
    <> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
    Dr. Dameon Wagner, Unix Platform Services
    IT Services, University of Oxford
    <> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ken Hornstein@21:1/5 to Dan Mahoney (Gushi) on Wed Apr 21 06:38:43 2021
    Copy: kerberos@mit.edu

    Is there another command that is more script-friendly? If not, can
    someone share a good way to pass args to the MIT ktutil?

    I think "klist -k" does what you want. You can pass arguments to ktutil
    in a script via stdin and parse the output (we do that via a script),
    that looks something like:

    (echo "rkt $keytab" ; echo "list") | ktutil | [parse output]

    The script this is from is so old, it predates the widespread use of the 'printf' command; that would probably be cleaner now.

    --Ken

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From James Ralston@21:1/5 to kenh@cmf.nrl.navy.mil on Mon May 3 00:12:05 2021
    On Wed, Apr 21, 2021 at 6:42 AM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:

    Is there another command that is more script-friendly? If not,
    can someone share a good way to pass args to the MIT ktutil?

    I think "klist -k" does what you want. You can pass arguments to
    ktutil in a script via stdin and parse the output (we do that via a
    script), that looks something like:

    (echo "rkt $keytab" ; echo "list") | ktutil | [parse output]

    The script this is from is so old, it predates the widespread use of
    the 'printf' command; that would probably be cleaner now.

    Related to this: it would be tremendously useful if klist had a flag
    to generate output intended to be machine-parsable, such as CSV or
    JSON.

    Yeah, I get it: the MIT Kerberos software predates UTF-8, let alone
    JSON, and was written at a time when wizened greybeards (not machines)
    were the ones parsing "klist" output. In terms of development
    priorities versus free developer cycles, making klist output CSV/JSON
    is probably far down on the priority stack.

    But still. Not being able to get machine-readable output out of klist
    turns what should be simple and useful scripting tasks, such as "scan
    the 9 different TGTs in my credential cache collection and renew any
    that expire in less than 12 hours", into "whee, I guess I'm writing a finite-state automaton in shell again".

    And while "klist -k" is a lot easier to parse than "klist" output
    (because it's not multi-line), given that at our site we send a
    boatload of host telemetry into Splunk every 30 minutes via an input
    script that just execs "puppet facts --render-as json", it's
    frustrating that there's no easy way to send up keytab data as well.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Robbie Harwood@21:1/5 to James Ralston on Mon May 3 11:19:24 2021
    To: kerberos@mit.edu

    James Ralston <ralston@pobox.com> writes:

    But still. Not being able to get machine-readable output out of klist
    turns what should be simple and useful scripting tasks, such as "scan
    the 9 different TGTs in my credential cache collection and renew any
    that expire in less than 12 hours", into "whee, I guess I'm writing a finite-state automaton in shell again".

    If you're using GSSAPI, you may be able to skip this entirely by using keytabs/client keytabs: https://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html#default-client-keytab

    Thanks,
    --Robbie

    -----BEGIN PGP SIGNATURE-----

    iQJIBAEBCgAyFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAmCQFHwUHHJoYXJ3b29k QHJlZGhhdC5jb20ACgkQJTL5F2qVpELBfQ/+IW2mHRN/sbajJL38bQcuHf1RF51C J0Q139k62iR/RKzTIE/v3wLyqzqSNQsdHboJV5YCPWnQDyr64hDUfFAG/0gQOUbb l0CofhlyNbRFMgNy9Xe+I0KG4gjGL54kkj2TdidV0g7V/rd4OMC1ozJnR18F3ef8 P0wvvYj1gSKaZlcbqs7EH/PrtkIgvHtYGBf7iZRzIBfynh3caTFP9TwkQ1U3/t7B KYQC1jQvhzoOd0BgtyASkwTww9PPuYgUHYcEB24qvXyjPCW+VuJ69Ea0dTFbnP7S 4GyuXbfZh6g/FoFZhoLVV0LeioysbSJpJYf/JqtY3rp4MMyM6GTKgulwUm814hbI uz56+B/asCxNh1ENkKM0PN2NQR5hHhuB3kL1CkL7mUML7tDGolGdU7mXwHzF3ixc 1HMF3eXJ/QMYxYOVro7VisL9pdnSM8tAMgE6tSgABlK85HYwxRz6Bkzjhqf4p4Qf HASeg/y+qfIqHpEL5/YMeP7FRd7++JCcV13jiq8fdUWmf7wBnZoS6QQXwBZWHwqH Whl/ydUmKj7wxye0rBO1tKA0VaqYqJizVySBVFvwaFWFTWxaQ5sROktsuohDoXRq /wMML2IWaXaT5zeN4n0AC8c+pg+qkCpdIHWKvRsJU9HB2G7/FIQ9a1mr5FumXOa8 y301KGulXgNPqcU=
    =qLVR
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)