Kerberos Database Auditing/Querying

Oliver Loch o.loch at gmx.net
Fri May 25 08:21:43 EDT 2012


Hi,

it can be done pretty easy, like this:

======== SNIP ======= 8< =============

#!/usr/bin/env bash

# kadmin tool to use
kadmin="/usr/bin/env kadmin.local"

# local date in seconds since 1970
ldate="$(date "+%s")"

# list all principals available
$kadmin -q getprincs | grep -v -E '^Authenticating.*' | while read line; do

        # get the expired date of the principal
        expdate="$($kadmin -q "getprinc ${line}" | grep -E '^Expiration date.*' | awk '{ $1=""; $2=""
; print $0}')";

        # if the principal doesn't expire ...
        if [[ "$expdate" =~ .*never.* ]]; then

                # output the principal
                echo "$line will never expire"
                # next round please
                continue;
        fi

        # transform date to seconds since 1970
        pedate=$(date -d "$expdate" "+%s");

        # if the principals expire date is less than the local date...
        if [ $pedate -lt $ldate ]; then

                # output that the principal is expired
                echo "$line is expired on $expdate";
        else

                # output that the principal will expire on $expdate
                echo "$line is valid till $expdate";
        fi
done

=======>8======= SNAP ==============

You get the idea?

KR,

Oliver

Am 25.05.2012 um 13:01 schrieb John Devitofranceschi:

> 
> Are there any tools that would allow someone to generate reports from the KDC (or the local principal file) which answer questions like:
> 
> Which principals are expired?
> 
> Which principals have expired passwords?
> 
> Which principals have passwords that will expire in N days?
> 
> Which principals have policy "xyzzy"?
> 
> You get the idea...
> 
> Any pointers or pointers to pointers appreciated!
> 
> jd
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list