Is there a "batchable" way to do ktutil list

[Dan Mahoney (Gushi)]

All,

Dayjob has a puppet fact that, under freeBSD, uses "ktutil list" to get
the kvno of a given host. This works great because the heimdal kerberos
that's built into freeBSD is what we like to parse. It takes a -k
argument to specify a keytab file.

Linux is another story. Under ubuntu, the mit version of ktutil gets
installed, and I can't figure out how to script it easily. There are no
documented ways to pass an arg, or even to print the version. (We can
glean it by looking at installed packages).

Is there another command that is more script-friendly? If not, can
someone share a good way to pass args to the MIT ktutil?

-Dan



--

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------

[Dameon Wagner]

On Wed, Apr 21 2021 at 00:56:39 -0700, Dan Mahoney (Gushi) scribbled
in "Is there a "batchable" way to do ktutil list":

> All,
>
> Dayjob has a puppet fact that, under freeBSD, uses "ktutil list" to get
> the kvno of a given host. This works great because the heimdal kerberos
> that's built into freeBSD is what we like to parse. It takes a -k
> argument to specify a keytab file.
>
> Linux is another story. Under ubuntu, the mit version of ktutil gets
> installed, and I can't figure out how to script it easily. There are no
> documented ways to pass an arg, or even to print the version. (We can
> glean it by looking at installed packages).
>
> Is there another command that is more script-friendly? If not, can
> someone share a good way to pass args to the MIT ktutil?

If you want the "true" kvno value, from a KDC, then the `kvno` tool
will return the results you want.

I you want the kvno values from within a keytab, like ktutil would
provide, then I'd look at the `k5srvutil` tool, which will take
subcommands and arguments for passing in the path to a keytab.

Cheers.

Dameon.

--
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dr. Dameon Wagner, Unix Platform Services
IT Services, University of Oxford
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><

[Predrag Zecevic]

On 21.04.2021 09:56, Dan Mahoney (Gushi) wrote:
> All,
>
> Dayjob has a puppet fact that, under freeBSD, uses "ktutil list" to get
> the kvno of a given host. This works great because the heimdal kerberos
> that's built into freeBSD is what we like to parse. It takes a -k
> argument to specify a keytab file.
>
> Linux is another story. Under ubuntu, the mit version of ktutil gets
> installed, and I can't figure out how to script it easily. There are no
> documented ways to pass an arg, or even to print the version. (We can
> glean it by looking at installed packages).
>
> Is there another command that is more script-friendly? If not, can
> someone share a good way to pass args to the MIT ktutil?
>

> -Dan
>
>
>
Hi Dan,

try to use *expect* tool, that is what I use...

Steps:
1: run once ktutil (under expect, which will save terminal actions)
2: call it in batch, like this (this is example of creating keytab, you
have to adopt script -- do no use it blindly):
---8<------
cat << EOEXPECT > /tmp/create-${TABLE}.keytab.exp
set force_conservative 0 ;# set to 1 to force conservative mode even if
script wasn't run conservatively originally
if {\$force_conservative} {
set send_slow {1 .1}
proc send {ignore arg} {
sleep .1
exp_send -s -- \$arg
}
}

set timeout -1
spawn \$env(SHELL)
match_max 100000
expect " "
send -- "ktutil"
expect -exact "ktutil"
send -- "\r"
expect -exact "ktutil: "
send -- "addent -password -p ${1} -k 1 -e aes256-cts-hmac-sha1-96"
expect -exact "addent -password -p ${1} -k 1 -e aes256-cts-hmac-sha1-96"
send -- "\r"
...
expect eof
EOEXPECT

# Create keytab
expect -f /tmp/create-${TABLE}.keytab.exp
---8<------

HTH

Best regards.
--
Predrag Zečević
Technical Support Analyst
2e Systems GmbH

tel: +49 - 6196 - 95058 - 15
mob: +49 - 174 - 3109288
fax: +49 - 6196 - 95058 - 94
e-mail: predrag...@2e-systems.com

headquarter: 2e Systems GmbH, Koenigsteiner Str. 107, 65812 Bad Soden am
Taunus, Germany
registration: Amtsgericht Koenigstein (Germany), HRB 7303
managing director: Phil Douglas

http://www.2e-systems.com/ - Making your business fly!

[Greg Hudson]

On 4/21/21 3:56 AM, Dan Mahoney (Gushi) wrote:> Dayjob has a puppet fact

that, under freeBSD, uses "ktutil list" to get
> the kvno of a given host.

[...]

> Is there another command that is more script-friendly? If not, can
> someone share a good way to pass args to the MIT ktutil?

I think you want klist -k. (Dameon suggested k5srvutil; its "list"
subcommand just runs klist -k.)

[Ken Hornstein]

>Is there another command that is more script-friendly? If not, can
>someone share a good way to pass args to the MIT ktutil?

I think "klist -k" does what you want. You can pass arguments to ktutil
in a script via stdin and parse the output (we do that via a script),
that looks something like:

(echo "rkt $keytab" ; echo "list") | ktutil | [parse output]

The script this is from is so old, it predates the widespread use of the
'printf' command; that would probably be cleaner now.

--Ken

[James Ralston]

Related to this: it would be tremendously useful if klist had a flag
to generate output intended to be machine-parsable, such as CSV or
JSON.

Yeah, I get it: the MIT Kerberos software predates UTF-8, let alone
JSON, and was written at a time when wizened greybeards (not machines)
were the ones parsing "klist" output. In terms of development
priorities versus free developer cycles, making klist output CSV/JSON
is probably far down on the priority stack.

But still. Not being able to get machine-readable output out of klist
turns what should be simple and useful scripting tasks, such as "scan
the 9 different TGTs in my credential cache collection and renew any
that expire in less than 12 hours", into "whee, I guess I'm writing a
finite-state automaton in shell again".

And while "klist -k" is a lot easier to parse than "klist" output
(because it's not multi-line), given that at our site we send a
boatload of host telemetry into Splunk every 30 minutes via an input
script that just execs "puppet facts --render-as json", it's
frustrating that there's no easy way to send up keytab data as well.

[Robbie Harwood]

James Ralston <ral...@pobox.com> writes:

> But still. Not being able to get machine-readable output out of klist
> turns what should be simple and useful scripting tasks, such as "scan
> the 9 different TGTs in my credential cache collection and renew any
> that expire in less than 12 hours", into "whee, I guess I'm writing a
> finite-state automaton in shell again".

If you're using GSSAPI, you may be able to skip this entirely by using
keytabs/client keytabs:
https://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html#default-client-keytab

Thanks,
--Robbie