getprinc -terse format

Mike Friedman mikef at ack.Berkeley.EDU
Mon Aug 30 12:23:22 EDT 2004 

On Mon, 30 Aug 2004 at 10:48 (+0200), Lukas Kubin wrote:

> I would like to parse "getprinc -terse" output in our accounts
> administration scripts. However I can't find the "terse" output format
> description. E.g. when I need to look for "needchange" option, I don't
> know, which of the fields stores this value. Is there any description of
> the "terse" format somewhere (except of source code)?

Lukas,

I had the same requirement, so I found the answer in the source code (see
below for the field layout).

As it happens, a principal's attributes, such as 'needchange', are
represented as a sequence of bit flags, aggregated into a single byte.
So after you find the field (1 byte long), you have to parse the bits.

First, here's the layout of the output from 'getprinc -terse':

======================================================================
  Fields in 'getprinc -terse' output

  princ-canonical-name
  princ-exp-time
  last-pw-change
  pw-exp-time
  princ-max-life
  modifying-princ-canonical-name
  princ-mod-date
  princ-attributes     <===  This is the field you want
  princ-kvno
  princ-mkvno
  princ-policy (or 'None')
  princ-max-renewable-life
  princ-last-success
  princ-last-failed
  princ-fail-auth-count
  princ-n-key-data
     ver
     kvno
     data-type[0]
     data-type[1]
======================================================================

Following is a perl subroutine I use to check for a specific attribute
value.  To see if the 'needchange' option is set, you would do something
like this:

   my $REQUIRES_PWCHANGE = 512;
   if (&attribute($REQUIRES_PWCHANGE)) {
      # needchange attribute is set
      ...
      ...
      }

(The value '512' represents the bit position in the 'attributes' byte
corresponding to 'needchange').

# ----------------------------------------------------
sub attribute {

   # Check whether a KDC attribute flag is set for a specified
   # principal.  Return 1 if it is, 0 if not.

   my ($attr_flag) = @_;

   my $rc;
   my $xx;
   my ($attribute_string, at attributes,$flags);

   $attribute_string = `$kadmin 'getprinc -terse $userID' 2>/dev/null`;

   ($xx,$attribute_string) = split(/\n/,$attribute_string);
   @attributes = split (" ",$attribute_string);
   $flags = $attributes[7];

   # If attribute is set, return 1, else 0:
   $rc = ($flags & $attr_flag) ? 1 : 0;

   return $rc;
   }
# ----------------------------------------------------


I hope this helps.

Mike

------------------------------------------------------------------------------
Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley
http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu
------------------------------------------------------------------------------

More information about the Kerberos mailing list