edit dump files
Christian
chanlists at googlemail.com
Tue Aug 6 08:00:57 EDT 2013
Dear list,
recently, I had a situation where I wanted to remove non-standard
enctypes (des-hmac-sha1) and others from a database I inherited. I
decided to do an unencrypted dump using kdb5_util dump -m and edit it.
In doing so, I wrote the included shell script to parts MIT dump files
and remove enctypes. It can easily be modified to do other changes to
dump files. I am posting it in the hope that it will be useful, but
without any warranties. Best,
Christian
#!/bin/bash
# No warranties. Use at your own risk.
# Written by Christian <chanlists at googlemail.com>
function usage {
echo "Usage: $0 <enctype_number> [principal_regex]"
echo
echo "Delete keys with <enctype_number> from principals which match"
echo "<principal regex> in an unencrypted MIT kdc dump file."
echo "The uncencrypted dump is to be supplied on the standard input,"
echo "and the modified dump will be provided on standard output."
echo "If [principal_regex] is empty, all principals will be matched."
echo
echo "enctype_number according to src/include/krb5/krb5.hin in the"
echo "MIT kerberos source can be:"
echo "1 ENCTYPE_DES_CBC_CRC DES cbc mode with CRC-32"
echo "2 ENCTYPE_DES_CBC_MD4 DES cbc mode with RSA-MD4"
echo "3 ENCTYPE_DES_CBC_MD5 DES cbc mode with RSA-MD5"
echo "4 ENCTYPE_DES_CBC_RAW @deprecated DES cbc mode raw"
echo "5 ENCTYPE_DES3_CBC_SHA @deprecated DES-3 cbc with SHA1"
echo "6 ENCTYPE_DES3_CBC_RAW @deprecated DES-3 cbc mode raw"
echo "8 ENCTYPE_DES_HMAC_SHA1 @deprecated"
echo "9 ENCTYPE_DSA_SHA1_CMS DSA with SHA1, CMS signature"
echo "10 ENCTYPE_MD5_RSA_CMS MD5 with RSA, CMS signature"
echo "11 ENCTYPE_SHA1_RSA_CMS SHA1 with RSA, CMS signature"
echo "12 ENCTYPE_RC2_CBC_ENV RC2 cbc mode, CMS enveloped data"
echo "13 ENCTYPE_RSA_ENV RSA encryption, CMS enveloped data"
echo "14 ENCTYPE_RSA_ES_OAEP_ENV RSA w/OEAP encryption, CMS env.data"
echo "15 ENCTYPE_DES3_CBC_ENV DES-3 cbc mode, CMS enveloped data"
echo "16 ENCTYPE_DES3_CBC_SHA1"
echo "17 ENCTYPE_AES128_CTS_HMAC_SHA1_96 RFC 3962"
echo "18 ENCTYPE_AES256_CTS_HMAC_SHA1_96 RFC 3962"
echo "23 ENCTYPE_ARCFOUR_HMAC"
echo "24 ENCTYPE_ARCFOUR_HMAC_EXP"
echo "511 ENCTYPE_UNKNOWN"
echo
echo "Data format of dump according to dump_k5beta6_iterator_ext() "
echo "from kadmin/dbutil/dump.c in the MIT kerberos source."
echo
echo "We also produce a file \"ciphers.log\" in the current directory"
echo "which holds the type numbers of all keys in the output dump"
echo "according to the above table."
echo
echo "No warranties. Use at your own risk."
}
if ([ -z "$1" ] || ! [[ $1 =~ [0-9]+ ]] ) ; then
usage
exit 1
fi
del_enctype=$1
if [ -z "$2" ] ; then
principal_regex=".+"
else
principal_regex="$2"
fi
# Line counter
m=1
echo >ciphers.log
# Loop over lines in standard input. Each line is split by tabs and
loaded into the array ld[].
while IFS="$(echo -ne '\t')" read -a ld || [ -n "${ld[0]}" ] ; do
# Check first line of input file for correct dump format header
if [ "$m" == "1" ] && [ "${ld[0]}" != "kdb5_util load_dump version 6"
] ; then
echo "Not the expected MIT dump format. Bye."
exit 1
fi
if [ "${ld[0]}" == "princ" ] ; then
# Line contains information about a principal.
# Parse a line with data for one principal.
unset tl_data_type
unset tl_data_len
unset tl_data
unset key_data_ver
unset key_data_kvno
unset key_data
unset key_data_len
unset key_data_type
declare -A key_data
declare -A key_data_len
declare -A key_data_type
len="${ld[1]}"
namelen="${ld[2]}"
n_tl_data="${ld[3]}"
n_key_data="${ld[4]}"
e_length="${ld[5]}"
name="${ld[6]}"
attributes="${ld[7]}"
max_life="${ld[8]}"
max_renewable_life="${ld[9]}"
expiration="${ld[10]}"
pw_expiration="${ld[11]}"
last_success="${ld[12]}"
last_failed="${ld[13]}"
fail_auth_count="${ld[14]}"
for i in $( seq 0 $(($n_tl_data-1)) ) ; do
tl_data_type[$i]="${ld[$((15+3*$i))]}"
tl_data_len[$i]="${ld[$((16+3*$i))]}"
tl_data[$i]="${ld[$((17+3*$i))]}"
done
# echo -e "$name\t$n_tl_data\t${tl_data[$(($n_tl_data-1))]}"
keystart=$((15+3*$n_tl_data))
k=$keystart
for i in $( seq 0 $(($n_key_data-1)) ) ; do
key_data_ver[$i]="${ld[$k]}"
k=$(($k+1))
key_data_kvno[$i]="${ld[$k]}"
k=$(($k+1))
for j in $( seq 0 $((${key_data_ver[$i]}-1)) ) ; do
mi="${i}_${j}"
# echo $mi
key_data_type[$mi]="${ld[$k]}"
k=$(($k+1))
key_data_len[$mi]="${ld[$k]}"
k=$(($k+1))
key_data[$mi]="${ld[$k]}"
k=$(($k+1))
done
done
# Remove selected enctype.
for i in ${!key_data_ver[*]} ; do
for j in $( seq 0 $((${key_data_ver[$i]}-1)) ) ; do
mi="${i}_${j}"
if [ "${key_data_type[$mi]}" == "$del_enctype" ] && \
[[ $name =~ $principal_regex ]] ; then
flagdelete=1
else
flagdelete=0
fi
done
if [ "${flagdelete}" == "1" ] ; then
for j in $( seq 0 $((${key_data_ver[$i]}-1)) ) ; do
mi="${i}_${j}"
unset key_data_type[$mi]
unset key_data_len[$mi]
unset key_data[$mi]
done
unset key_data_ver[$i]
unset key_data_kvno[$i]
fi
done
n_key_data="${#key_data_ver[@]}"
# Dump the modified principal line to the output.
echo -ne "princ\t"
echo -ne "$len\t"
echo -ne "$namelen\t"
echo -ne "$n_tl_data\t"
echo -ne "$n_key_data\t"
echo -ne "$e_length\t"
echo -ne "$name\t"
echo -ne "$attributes\t"
echo -ne "$max_life\t"
echo -ne "$max_renewable_life\t"
echo -ne "$expiration\t"
echo -ne "$pw_expiration\t"
echo -ne "$last_success\t"
echo -ne "$last_failed\t"
echo -ne "$fail_auth_count\t"
for i in $( seq 0 $(($n_tl_data-1)) ) ; do
echo -ne "${tl_data_type[$i]}\t"
echo -ne "${tl_data_len[$i]}\t"
echo -ne "${tl_data[$i]}\t"
done
for i in ${!key_data_ver[*]} ; do
echo -ne "${key_data_ver[$i]}\t"
echo -ne "${key_data_kvno[$i]}\t"
for j in $( seq 0 $((${key_data_ver[$i]}-1)) ) ; do
mi="${i}_${j}"
echo -ne "${key_data_type[$mi]}\t"
echo "${key_data_type[$mi]}" >>ciphers.log
echo -ne "${key_data_len[$mi]}\t"
echo -ne "${key_data[$mi]}\t"
done
done
echo "-1;"
else
# Line contains other information, e. g. a policy.
# Just dump that verbatim to the output.
nfields="${#ld[*]}"
for i in $(seq 0 $(($nfields-1))) ; do
echo -ne "${ld[$i]}"
if [ "$i" != "$(($nfields-1))" ] ; then
echo -ne "\t"
else
echo -ne "\n"
fi
done
fi
# Increase line counter
m=$(($m+1))
done
More information about the Kerberos
mailing list