Kerberos Database Auditing/Querying

John Devitofranceschi jdvf at optonline.net
Fri May 25 08:29:09 EDT 2012


Yes, I thought about doing it that way. But I thought I would check if anything that didn't depend on parsing the output of kadmin[.local] was available first.

Thanks!

jd



On May 25, 2012, at 8:21, Oliver Loch <o.loch at gmx.net> wrote:

> Hi,
> 
> it can be done pretty easy, like this:
> 
> ======== SNIP ======= 8< =============
> 
> #!/usr/bin/env bash
> 
> # kadmin tool to use
> kadmin="/usr/bin/env kadmin.local"
> 
> # local date in seconds since 1970
> ldate="$(date "+%s")"
> 
> # list all principals available
> $kadmin -q getprincs | grep -v -E '^Authenticating.*' | while read line; do
> 
>        # get the expired date of the principal
>        expdate="$($kadmin -q "getprinc ${line}" | grep -E '^Expiration date.*' | awk '{ $1=""; $2=""
> ; print $0}')";
> 
>        # if the principal doesn't expire ...
>        if [[ "$expdate" =~ .*never.* ]]; then
> 
>                # output the principal
>                echo "$line will never expire"
>                # next round please
>                continue;
>        fi
> 
>        # transform date to seconds since 1970
>        pedate=$(date -d "$expdate" "+%s");
> 
>        # if the principals expire date is less than the local date...
>        if [ $pedate -lt $ldate ]; then
> 
>                # output that the principal is expired
>                echo "$line is expired on $expdate";
>        else
> 
>                # output that the principal will expire on $expdate
>                echo "$line is valid till $expdate";
>        fi
> done
> 
> =======>8======= SNAP ==============
> 
> You get the idea?
> 
> KR,
> 
> Oliver
> 
> Am 25.05.2012 um 13:01 schrieb John Devitofranceschi:
> 
>> 
>> Are there any tools that would allow someone to generate reports from the KDC (or the local principal file) which answer questions like:
>> 
>> Which principals are expired?
>> 
>> Which principals have expired passwords?
>> 
>> Which principals have passwords that will expire in N days?
>> 
>> Which principals have policy "xyzzy"?
>> 
>> You get the idea...
>> 
>> Any pointers or pointers to pointers appreciated!
>> 
>> jd
>> 
>> 
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


More information about the Kerberos mailing list