Single-DES in krbtgt/REALM key

Christian chanlists at googlemail.com
Wed Aug 21 16:23:27 EDT 2013 

Hi list,
> And we should probably add instructions about checking the logs for
> DES-only clients. 
how about this? Best,

Christian

#!/bin/bash
#
# get1des. chanlists at googlemail.com(2013). No warranties.
#
# Look for clients that are being issued session keys with type 1.
# Could easily be modified to look for other types. Run this from cron
# every ten minutes, say at
# :01,:11,:21,:31,;41,:51 on your first KDC, and at
# :02,:12,:22,:32,;42,:52 on your second KDC, ...
# It greps your log file for ISSUE lines during the previous ten minutes
# and adds the result to the table in $desfile. That file lives in AFS and
# should be writeable. We have an IP based afs ACL on it. Could be on any
# shared filesystem, really.
#
# When run during the ten minutes after 23:40 on the master KDC, it will
# output the whole table to stdout (effectively mailing it to the sysadmin)
# and delete $desfile to restart from scratch for the next day.
#
# We do this every ten minutes because some of our DHCP clients have dynamic
# DNS, and we only get the correct hostname, which tells us something about
# the actual machine, when the time interval between the ISSUE and the
# lookup is short enough.
#
afscell=afs.cell
krbrealm=REALM.NAME
masterkdc=afs1
desfile="/afs/${afscell}/system/dhcpd/output/1des"
kdclog=/var/log/auth.log

# Might have to mess with this depending on your time format and the logs
lookfor=$(date '+%b %d %H:%M' -d '10 minutes ago' | cut -b 1-11)

validip="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
validprinc="^[a-zA-Z0-9 at ./-]+$"

# Change the 'ses=1}' to whatever you like if you want to look for other
# keys being issued...
(
  grep "$lookfor" "${kdclog}" | \
      grep 'ses=1}' | \
      grep 'ISSUE' | \
      awk '{printf "%s\t%s\t%s\n",$18,$10,$20}' | \
      sort | uniq | sed -e 's/://g' | \
  while read princ ip princfor || [ -n "$princ" ] ; do
    if [[ $ip =~ $validip ]] && [[ $princ =~ $validprinc ]] && [[
$princfor =~ $validprinc ]] ; then
      host=$(dig +short -x $ip)
      echo -ne "$princ\t$princfor\t"
      if [ -n "$host" ] ; then
        echo $host
      else
        echo $ip
      fi
    fi
  done
  [ -f "${desfile}" ] && cat "${desfile}"
) | sort | uniq >"${desfile}.tmp"
mv -f "${desfile}.tmp" "${desfile}"

if [[ $lookfor =~ 23:4$ ]] && [ "$HOSTNAME" == "afs1" ] ; then
  echo "+==============================================================+"
  echo "| The following hosts acquired des-cbc-crc session keys today: |"
  echo "+==============================================================+"
  echo
  (
    echo -e "req_princ\trequest\thostname_or_IP"
    [ -f "${desfile}" ] && cat "${desfile}" | sed -e "s/@${krbrealm}//g"
  ) | column -t
  rm -f "${desfile}"
fi

More information about the Kerberos mailing list