Is there a "batchable" way to do ktutil list
James Ralston
ralston at pobox.com
Mon May 3 00:12:05 EDT 2021
On Wed, Apr 21, 2021 at 6:42 AM Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
> > Is there another command that is more script-friendly? If not,
> > can someone share a good way to pass args to the MIT ktutil?
>
> I think "klist -k" does what you want. You can pass arguments to
> ktutil in a script via stdin and parse the output (we do that via a
> script), that looks something like:
>
> (echo "rkt $keytab" ; echo "list") | ktutil | [parse output]
>
> The script this is from is so old, it predates the widespread use of
> the 'printf' command; that would probably be cleaner now.
Related to this: it would be tremendously useful if klist had a flag
to generate output intended to be machine-parsable, such as CSV or
JSON.
Yeah, I get it: the MIT Kerberos software predates UTF-8, let alone
JSON, and was written at a time when wizened greybeards (not machines)
were the ones parsing "klist" output. In terms of development
priorities versus free developer cycles, making klist output CSV/JSON
is probably far down on the priority stack.
But still. Not being able to get machine-readable output out of klist
turns what should be simple and useful scripting tasks, such as "scan
the 9 different TGTs in my credential cache collection and renew any
that expire in less than 12 hours", into "whee, I guess I'm writing a
finite-state automaton in shell again".
And while "klist -k" is a lot easier to parse than "klist" output
(because it's not multi-line), given that at our site we send a
boatload of host telemetry into Splunk every 30 minutes via an input
script that just execs "puppet facts --render-as json", it's
frustrating that there's no easy way to send up keytab data as well.
More information about the Kerberos
mailing list