Kerberos Database Auditing/Querying
John Devitofranceschi
jdvf at optonline.net
Fri May 25 08:29:09 EDT 2012
Yes, I thought about doing it that way. But I thought I would check if anything that didn't depend on parsing the output of kadmin[.local] was available first.
Thanks!
jd
On May 25, 2012, at 8:21, Oliver Loch <o.loch at gmx.net> wrote:
> Hi,
>
> it can be done pretty easy, like this:
>
> ======== SNIP ======= 8< =============
>
> #!/usr/bin/env bash
>
> # kadmin tool to use
> kadmin="/usr/bin/env kadmin.local"
>
> # local date in seconds since 1970
> ldate="$(date "+%s")"
>
> # list all principals available
> $kadmin -q getprincs | grep -v -E '^Authenticating.*' | while read line; do
>
> # get the expired date of the principal
> expdate="$($kadmin -q "getprinc ${line}" | grep -E '^Expiration date.*' | awk '{ $1=""; $2=""
> ; print $0}')";
>
> # if the principal doesn't expire ...
> if [[ "$expdate" =~ .*never.* ]]; then
>
> # output the principal
> echo "$line will never expire"
> # next round please
> continue;
> fi
>
> # transform date to seconds since 1970
> pedate=$(date -d "$expdate" "+%s");
>
> # if the principals expire date is less than the local date...
> if [ $pedate -lt $ldate ]; then
>
> # output that the principal is expired
> echo "$line is expired on $expdate";
> else
>
> # output that the principal will expire on $expdate
> echo "$line is valid till $expdate";
> fi
> done
>
> =======>8======= SNAP ==============
>
> You get the idea?
>
> KR,
>
> Oliver
>
> Am 25.05.2012 um 13:01 schrieb John Devitofranceschi:
>
>>
>> Are there any tools that would allow someone to generate reports from the KDC (or the local principal file) which answer questions like:
>>
>> Which principals are expired?
>>
>> Which principals have expired passwords?
>>
>> Which principals have passwords that will expire in N days?
>>
>> Which principals have policy "xyzzy"?
>>
>> You get the idea...
>>
>> Any pointers or pointers to pointers appreciated!
>>
>> jd
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list