edit dump files

Christian chanlists at googlemail.com
Tue Aug 6 08:00:57 EDT 2013


Dear list,

recently, I had a situation where I wanted to remove non-standard
enctypes (des-hmac-sha1) and others from a database I inherited. I
decided to do an unencrypted dump using kdb5_util dump -m and edit it.
In doing so, I wrote the included shell script to parts MIT dump files
and remove enctypes. It can easily be modified to do other changes to
dump files. I am posting it in the hope that it will be useful, but
without any warranties. Best,

Christian

#!/bin/bash

# No warranties. Use at your own risk.
# Written by Christian <chanlists at googlemail.com>

function usage {
  echo "Usage: $0 <enctype_number> [principal_regex]"
  echo
  echo "Delete keys with <enctype_number> from principals which match"
  echo "<principal regex> in an unencrypted MIT kdc dump file."
  echo "The uncencrypted dump is to be supplied on the standard input,"
  echo "and the modified dump will be provided on standard output."
  echo "If [principal_regex] is empty, all principals will be matched."
  echo
  echo "enctype_number according to src/include/krb5/krb5.hin in the"
  echo "MIT kerberos source can be:"
  echo "1   ENCTYPE_DES_CBC_CRC     DES cbc mode with CRC-32"
  echo "2   ENCTYPE_DES_CBC_MD4     DES cbc mode with RSA-MD4"
  echo "3   ENCTYPE_DES_CBC_MD5     DES cbc mode with RSA-MD5"
  echo "4   ENCTYPE_DES_CBC_RAW     @deprecated DES cbc mode raw"
  echo "5   ENCTYPE_DES3_CBC_SHA    @deprecated DES-3 cbc with SHA1"
  echo "6   ENCTYPE_DES3_CBC_RAW    @deprecated DES-3 cbc mode raw"
  echo "8   ENCTYPE_DES_HMAC_SHA1   @deprecated"
  echo "9   ENCTYPE_DSA_SHA1_CMS    DSA with SHA1, CMS signature"
  echo "10  ENCTYPE_MD5_RSA_CMS     MD5 with RSA, CMS signature"
  echo "11  ENCTYPE_SHA1_RSA_CMS    SHA1 with RSA, CMS signature"
  echo "12  ENCTYPE_RC2_CBC_ENV     RC2 cbc mode, CMS enveloped data"
  echo "13  ENCTYPE_RSA_ENV         RSA encryption, CMS enveloped data"
  echo "14  ENCTYPE_RSA_ES_OAEP_ENV RSA w/OEAP encryption, CMS env.data"
  echo "15  ENCTYPE_DES3_CBC_ENV    DES-3 cbc mode, CMS enveloped data"
  echo "16  ENCTYPE_DES3_CBC_SHA1"
  echo "17  ENCTYPE_AES128_CTS_HMAC_SHA1_96   RFC 3962"
  echo "18  ENCTYPE_AES256_CTS_HMAC_SHA1_96   RFC 3962"
  echo "23  ENCTYPE_ARCFOUR_HMAC"
  echo "24  ENCTYPE_ARCFOUR_HMAC_EXP"
  echo "511 ENCTYPE_UNKNOWN"
  echo
  echo "Data format of dump according to dump_k5beta6_iterator_ext() "
  echo "from kadmin/dbutil/dump.c in the MIT kerberos source."
  echo
  echo "We also produce a file \"ciphers.log\" in the current directory"
  echo "which holds the type numbers of all keys in the output dump"
  echo "according to the above table."
  echo
  echo "No warranties. Use at your own risk."
}

if ([ -z "$1" ] || ! [[ $1 =~ [0-9]+ ]] ) ; then
  usage
  exit 1
fi

del_enctype=$1

if [ -z "$2" ] ; then
  principal_regex=".+"
else
  principal_regex="$2"
fi

# Line counter
m=1

echo >ciphers.log

# Loop over lines in standard input. Each line is split by tabs and
loaded into the array ld[].
while IFS="$(echo -ne '\t')" read -a ld || [ -n "${ld[0]}" ] ; do

  # Check first line of input file for correct dump format header
  if [ "$m" == "1" ] && [ "${ld[0]}" != "kdb5_util load_dump version 6"
] ; then
    echo "Not the expected MIT dump format. Bye."
    exit 1
  fi

  if [ "${ld[0]}" == "princ" ] ; then
    # Line contains information about a principal.

    # Parse a line with data for one principal.
    unset tl_data_type
    unset tl_data_len
    unset tl_data
    unset key_data_ver
    unset key_data_kvno
    unset key_data
    unset key_data_len
    unset key_data_type
    declare -A key_data
    declare -A key_data_len
    declare -A key_data_type
    len="${ld[1]}"
    namelen="${ld[2]}"
    n_tl_data="${ld[3]}"
    n_key_data="${ld[4]}"
    e_length="${ld[5]}"
    name="${ld[6]}"
    attributes="${ld[7]}"
    max_life="${ld[8]}"
    max_renewable_life="${ld[9]}"
    expiration="${ld[10]}"
    pw_expiration="${ld[11]}"
    last_success="${ld[12]}"
    last_failed="${ld[13]}"
    fail_auth_count="${ld[14]}"
    for i in $( seq 0 $(($n_tl_data-1)) ) ; do
      tl_data_type[$i]="${ld[$((15+3*$i))]}"
      tl_data_len[$i]="${ld[$((16+3*$i))]}"
      tl_data[$i]="${ld[$((17+3*$i))]}"
    done
    # echo -e "$name\t$n_tl_data\t${tl_data[$(($n_tl_data-1))]}"
    keystart=$((15+3*$n_tl_data))
    k=$keystart
    for i in $( seq 0 $(($n_key_data-1)) ) ; do
      key_data_ver[$i]="${ld[$k]}"
      k=$(($k+1))
      key_data_kvno[$i]="${ld[$k]}"
      k=$(($k+1))
      for j in $( seq 0 $((${key_data_ver[$i]}-1)) ) ; do
        mi="${i}_${j}"
        # echo $mi
        key_data_type[$mi]="${ld[$k]}"
        k=$(($k+1))
        key_data_len[$mi]="${ld[$k]}"
        k=$(($k+1))
        key_data[$mi]="${ld[$k]}"
        k=$(($k+1))
      done
    done

    # Remove selected enctype.
    for i in ${!key_data_ver[*]} ; do
      for j in $( seq 0 $((${key_data_ver[$i]}-1)) ) ; do
        mi="${i}_${j}"
        if [ "${key_data_type[$mi]}" == "$del_enctype" ] && \
           [[ $name =~ $principal_regex ]] ; then
          flagdelete=1
        else
          flagdelete=0
        fi
      done
      if [ "${flagdelete}" == "1" ] ; then
        for j in $( seq 0 $((${key_data_ver[$i]}-1)) ) ; do
          mi="${i}_${j}"
          unset key_data_type[$mi]
          unset key_data_len[$mi]
          unset key_data[$mi]
        done
        unset key_data_ver[$i]
        unset key_data_kvno[$i]
      fi
    done
    n_key_data="${#key_data_ver[@]}"

    # Dump the modified principal line to the output.
    echo -ne "princ\t"
    echo -ne "$len\t"
    echo -ne "$namelen\t"
    echo -ne "$n_tl_data\t"
    echo -ne "$n_key_data\t"
    echo -ne "$e_length\t"
    echo -ne "$name\t"
    echo -ne "$attributes\t"
    echo -ne "$max_life\t"
    echo -ne "$max_renewable_life\t"
    echo -ne "$expiration\t"
    echo -ne "$pw_expiration\t"
    echo -ne "$last_success\t"
    echo -ne "$last_failed\t"
    echo -ne "$fail_auth_count\t"

    for i in $( seq 0 $(($n_tl_data-1)) ) ; do
      echo -ne "${tl_data_type[$i]}\t"
      echo -ne "${tl_data_len[$i]}\t"
      echo -ne "${tl_data[$i]}\t"
    done
    for i in ${!key_data_ver[*]} ; do
      echo -ne "${key_data_ver[$i]}\t"
      echo -ne "${key_data_kvno[$i]}\t"
      for j in $( seq 0 $((${key_data_ver[$i]}-1)) ) ; do
        mi="${i}_${j}"
        echo -ne "${key_data_type[$mi]}\t"
        echo "${key_data_type[$mi]}" >>ciphers.log
        echo -ne "${key_data_len[$mi]}\t"
        echo -ne "${key_data[$mi]}\t"
      done
    done
    echo "-1;"

  else

    # Line contains other information, e. g. a policy.
    # Just dump that verbatim to the output.
    nfields="${#ld[*]}"
    for i in $(seq 0 $(($nfields-1))) ; do
      echo -ne "${ld[$i]}"
      if [ "$i" != "$(($nfields-1))" ] ; then
        echo -ne "\t"
      else
        echo -ne "\n"
      fi
    done

  fi

  # Increase line counter
  m=$(($m+1))

done


More information about the Kerberos mailing list