RFC: perl modules for Kerberos database parsing

Dave Steiner steiner at bakerst.rutgers.edu
Sun Feb 10 13:53:35 EST 2002 

In a previous message I mentioned that I needed to generate a list of
all principals that have the KRB5_KDB_DISALLOW_ALL_TIX attribute set. 
So I need to parse the Kerberos database.  I've written a prototype
perl module to parse the Kerberos database, either from a dumped file
or directly from Kerberos (via "krb5_edit -r <realm> dump |").

I want to know if people would find something like this interesting
and useful.  Should I work this up into a full/complete module and
post it to CPAN?  If so, what features would people like?

After some thinking about it, here's a preliminary design to give you
an idea of what I'm talking about.  There would be two levels of perl
modules:

1. Deal with the database itself but would not parse the actual
entries.  You can load the data in one of two modes: (1) You can read
the records one at a time and process as you go along, or (2) you can
read in all the records without processing them but saving the data in
the database object and them process them.

This module supplies a database object and the following methods:

  new() - open the database, either from a file or from a pipe. 
Examine the header to decide what version of dump format this is. 
Load in the appropriate module(s) to parse the principal and policy
records.  Return a database object.
Various options will allow you to set the level of data consistancy
checking, the kerberos realm, etc.

  next() - return the next record in the input stream as an object. 
This will either be a principal or policy object, depending on what
was found (see below).

  read() - read and parse all records and stores them in the database
object (for large databases this will take up a lot more memory than
the above method).   Returns true on success and undef on failure.

  principals() - returns a reference to an array of principal objects
(loaded in from the read() method).

  policies() - returns a reference to an array of policy objects
(loaded in from the read() method).

  close() - close the input stream and report any errors.

2.  Modules to parse database records and return them as either
principal or policy objects.  Generally you wouldn't have to create
the principal or policy objects yourself as database methods would do
that for you but the constructors are new_princ() and new_policy(). 
There are accessor methods for all fields plus some additional ones
(like parsed date fields and a object type).  All versions of dump
formats would eventually be supported and the database module would
load the appropriate dump format module for you.

So the code to implement my needs is (along with some additional info
printed out):

#!/usr/local/bin/perl -w
use strict;
use Kerberos::KDB;
my $db = Kerberos::KDB->new( file  => 'slave_trans' );
while (my $p = $db->next) {
    if ($p->type eq 'princ') {
        # value of KRB5_KDB_DISALLOW_ALL_TIX 
        #  from /usr/local/include/krb5/kdb.h
        if ($p->attributes & 0x00000040) {
            print $p->name, ": attributes: ", $p->attributes,
                  "  [DISALLOW_ALL_TIX]\n";
        }
        if ($p->fail_auth_count > 5) {
            print $p->name, ": fail_auth_count: ",
                  $p->fail_auth_count, "\n";
        }
    }
    if ($p->type eq 'policy') {
        print "Found policy '", $p->name, "'\n";
    }
}
$db->close;


So, would people find something like this useful?  If so, what other
kind of features would you like to see?

-ds

More information about the Kerberos mailing list