Kerberos Database Auditing/Querying
Oliver Loch
o.loch at gmx.net
Fri May 25 08:21:43 EDT 2012
Hi,
it can be done pretty easy, like this:
======== SNIP ======= 8< =============
#!/usr/bin/env bash
# kadmin tool to use
kadmin="/usr/bin/env kadmin.local"
# local date in seconds since 1970
ldate="$(date "+%s")"
# list all principals available
$kadmin -q getprincs | grep -v -E '^Authenticating.*' | while read line; do
# get the expired date of the principal
expdate="$($kadmin -q "getprinc ${line}" | grep -E '^Expiration date.*' | awk '{ $1=""; $2=""
; print $0}')";
# if the principal doesn't expire ...
if [[ "$expdate" =~ .*never.* ]]; then
# output the principal
echo "$line will never expire"
# next round please
continue;
fi
# transform date to seconds since 1970
pedate=$(date -d "$expdate" "+%s");
# if the principals expire date is less than the local date...
if [ $pedate -lt $ldate ]; then
# output that the principal is expired
echo "$line is expired on $expdate";
else
# output that the principal will expire on $expdate
echo "$line is valid till $expdate";
fi
done
=======>8======= SNAP ==============
You get the idea?
KR,
Oliver
Am 25.05.2012 um 13:01 schrieb John Devitofranceschi:
>
> Are there any tools that would allow someone to generate reports from the KDC (or the local principal file) which answer questions like:
>
> Which principals are expired?
>
> Which principals have expired passwords?
>
> Which principals have passwords that will expire in N days?
>
> Which principals have policy "xyzzy"?
>
> You get the idea...
>
> Any pointers or pointers to pointers appreciated!
>
> jd
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list