[38915] in Kerberos
Re: Is there a "batchable" way to do ktutil list
daemon@ATHENA.MIT.EDU (James Ralston)
Mon May 3 00:15:03 2021
MIME-Version: 1.0
In-Reply-To: <202104211035.13LAZlgU016017@hedwig.cmf.nrl.navy.mil>
From: James Ralston <ralston@pobox.com>
Date: Mon, 3 May 2021 00:12:05 -0400
Message-ID: <CAEkxbZuFyBq8a=nrtwe2Z6RZrk51ERWq3oS7ksG55i_YG1tn0A@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Apr 21, 2021 at 6:42 AM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
> > Is there another command that is more script-friendly? If not,
> > can someone share a good way to pass args to the MIT ktutil?
>
> I think "klist -k" does what you want. You can pass arguments to
> ktutil in a script via stdin and parse the output (we do that via a
> script), that looks something like:
>
> (echo "rkt $keytab" ; echo "list") | ktutil | [parse output]
>
> The script this is from is so old, it predates the widespread use of
> the 'printf' command; that would probably be cleaner now.
Related to this: it would be tremendously useful if klist had a flag
to generate output intended to be machine-parsable, such as CSV or
JSON.
Yeah, I get it: the MIT Kerberos software predates UTF-8, let alone
JSON, and was written at a time when wizened greybeards (not machines)
were the ones parsing "klist" output. In terms of development
priorities versus free developer cycles, making klist output CSV/JSON
is probably far down on the priority stack.
But still. Not being able to get machine-readable output out of klist
turns what should be simple and useful scripting tasks, such as "scan
the 9 different TGTs in my credential cache collection and renew any
that expire in less than 12 hours", into "whee, I guess I'm writing a
finite-state automaton in shell again".
And while "klist -k" is a lot easier to parse than "klist" output
(because it's not multi-line), given that at our site we send a
boatload of host telemetry into Splunk every 30 minutes via an input
script that just execs "puppet facts --render-as json", it's
frustrating that there's no easy way to send up keytab data as well.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
