This shell script is a wrapper around the `kadmin.local` command,...

May 18, 2025 at 05:23 AM

#!/bin/sh # trival implemention for now echo "kadmin.local $@" | logger cmd="" realm="" while true ; do case $1 in -r) realm="-r $2"; shift 2;; -l) shift ;; -q) cmd="$2" ; shift 2;; --version) echo "kadmin.local: heimdal MIT emulation glue"; exit 0;; -*) echo "$0: Bad option $1"; echo $usage; exit 1;; *) break;; esac done set -- $cmd case $1 in add_principal) shift mod='' while true ; do case $1 in +requires_preauth) mod="+requires-pre-auth${mod:+,}${mod}" shift ;; -allow_svr) mod="+disallow-svr${mod:+,}${mod}" shift ;; *) break;; esac done if test $# -lt 1; then echo "add: no principal" | logger exit 1 fi principal="$1" # XXX we dont need the certhash user for Heimdal # will pick up the entry from the record name echo "principal: X${principal}X $(echo -n $principal | wc -c)" | logger if test $(echo -n $principal | wc -c) = 40; then echo "Refusing to create a BTMM hash user for Heimdal" | logger exit 0 fi mod="${mod:+--attributes=}${mod}" cmd="/usr/sbin/kadmin -l $realm add --use-defaults --verbose $mod $principal" echo "kadmin.local: $cmd" | logger eval $cmd res=$? echo "kadmin.local: $res" | logger exit $res ;; modify_principal|modprinc) shift mod='' expire='' while true ; do case $1 in +requires_preauth) mod="+requires-pre-auth${mod:+,}${mod}" shift ;; +allow_tix) mod="-disallow-all-tix${mod:+,}${mod}" shift ;; -allow_tix) mod="+disallow-all-tix${mod:+,}${mod}" shift ;; -certhash) # just ignore certhash request for now exit 0 shift 2 ;; -allow_svr) mod="+disallow-svr${mod:+,}${mod}" shift ;; -expire) #echo format on %m/%d/%Y %H:%M:%S GMT/never #Kerberos should pick up policy from policy data shift 2 ;; -pwexpire) #echo format on %m/%d/%Y %H:%M:%S GMT/never #Kerberos should pick up policy from policy data shift 2 ;; +needschange) mod="+requires-pw-change${mod:+,}${mod}" shift ;; -needschange) mod="-requires-pw-change${mod:+,}${mod}" shift ;; -policy) # policy%dmin shift 2 ;; *) break;; esac done if test $# -lt 1; then echo "mod: no principal" | logger exit 1 fi principal="$1" if test "X$mod" == "X"; then echo "kadmin.local: no mod changed" | logger exit 0 fi mod="${mod:+--attributes=}${mod}" cmd="/usr/sbin/kadmin -l $realm add --use-defaults $mod $principal" echo "kadmin.local: $cmd" | logger eval $cmd res=$? echo "kadmin.local: $res" | logger exit $res ;; delete_principal) # dont delete anything, delete the OD node instead shift mod='' while true ; do case $1 in -force) shift ;; *) break;; esac done if test $# -lt 1; then echo "delete: no principal" | logger exit 1 fi principal="$1" #if test $(echo -n "$principal" | wc -c) = 40; then # echo "Refusing to delete a BTMM hash user for Heimdal" | logger # exit 0 #fi #cmd="/usr/sbin/kadmin -l $realm delete $principal" #echo "kadmin.local: $cmd" | logger #eval $cmd #res=$? #echo "kadmin.local: $res" | logger #exit $res exit 0 ;; get_principal) shift arg='' while true ; do case $1 in -terse) arg="--terse" shift ;; *) break;; esac done if test $# -lt 1; then echo "get: no principal" | logger exit 1 fi cmd="/usr/sbin/kadmin -l $realm get $arg $principal" echo "kadmin.local: $cmd" | logger eval $cmd res=$? echo "kadmin.local: $res" | logger exit $res ;; change_password) shift if test $# -lt 1; then echo "change_password: no principal" | logger exit 1 fi principal="$1" cmd="/usr/sbin/kadmin -l $realm cpw $principal" echo "kadmin.local: $cmd" | logger eval $cmd res=$? echo "kadmin.local: $res" | logger exit $res ;; delete_policy) ;; add_policy) ;; *) echo "kadmin.local: unsupported command $@" echo "kadmin.local: unsupported command: $@" | logger exit 1 ;; esac exit 0 lkdc=LKDC:SHA1.D0ED2D7ACBDDF64B63A50BC871D427A18F39646B certhash=ABCEF0 kadmin.local -r $lkdc -q modify_principal +allow_tix user kadmin.local -r $lkdc -q delete_principal -force $certhash kadmin.local -r $lkdc -q delete_principal -force $certhash@$lkdc kadmin.local -r $lkdc -q add_principal +requires_preauth -allow_svr $certhash kadmin.local -r $lkdc -q modprinc +requires_preauth -certhash $certhash $certhash kadmin.local -r $lkdc -q delete_principal -force foo

This shell script is a wrapper around the kadmin.local command, which is typically used to manage Kerberos database entries, such as principals and policies. Below is an analysis of what the script does:

General Overview

  1. Command Logging: At the beginning, it logs any kadmin.local commands executed (using the logger command for logging purposes).

  2. Argument Parsing and Preprocessing:

    • The script parses and processes command-line arguments or options passed to it.
    • It supports multiple commands like add_principal, modify_principal, delete_principal, get_principal, and change_password.

  3. Command Execution: Based on the first positional argument (command), the script performs actions like adding, modifying, or deleting principals, among others. It forms the equivalent kadmin.local command depending on the options and executes it using eval.

Key Functionalities

1. Logging

Each command is logged with its arguments (before execution) and its result (exit status) to the system log using the logger command.

2. Command Handling

  • add_principal:

    • Adds a new principal to the Kerberos database.
    • Supports modifiers like +requires_preauth and -allow_svr.
    • If the principal's name length is 40 characters (indicative of a hashed user, e.g., for Apple BTMM), the script refuses to add it.

  • modify_principal / modprinc:

    • Modifies properties of an existing principal.
    • Supports modifiers like +requires_preauth, +allow_tix, -allow_tix, +needschange, etc.
    • Ignores certain arguments, such as -certhash or expiration settings.

  • delete_principal:

    • Ostensibly deletes a principal from the Kerberos database but does not actually execute the deletion.
    • Most code for deletion is commented out, and the command essentially does nothing (exit 0) after verifying input arguments.

  • get_principal:

    • Retrieves information about a given principal, supporting a --terse flag for compact output.

  • change_password:

    • Changes the password for a specified principal.

  • Other commands like add_policy and delete_policy have stub implementations and are not functional in the script.

3. Input Validation

The script checks that required arguments are present for each command (e.g., a principal is specified) and exits with an error message if they are missing.

4. Default Behavior

If an unsupported command is provided, the script logs the unsupported command and exits with an error.

Special Notes

  • Principal Name Handling:

    • Rejects adding or deleting principals with a name length of 40 characters (special treatment for hashed user entries, e.g., BTMM hash users).

  • No Actual Deletion:

    • The delete_principal command does not delete principals. The relevant command execution is commented out, and the script skips the deletion.

  • Stubbed Functionality:

    • Commands like add_policy and delete_policy are defined as placeholders but do nothing.

Example Commands at the End

  1. modify_principal:

    • Enables ticket issuance for user using the +allow_tix modifier.

  2. delete_principal:

    • Attempts to delete hash-like principals and specific principals, but the deletion commands are effectively no-ops.

  3. add_principal:

    • Adds a hashed user as a principal with +requires_preauth and -allow_svr settings.

  4. modprinc:

    • Modifies properties for hashed users.

  5. delete_principal:

    • Attempts to delete a principal named foo, which does nothing as deletion logic is commented.

Purpose

This script appears to be a utility for managing Kerberos principals in a controlled way, with a focus on logging, enforcing certain policies (e.g., restrictions on hash-like users), and providing limited functionality for certain commands. Some behaviors, such as deletion or policy management, are deliberately disabled or incomplete.

Generate your own explanations
Download our vscode extension
Read other generated explanations

Built by @thebuilderjr
Sponsored by beam analytics
Read our terms and privacy policy
Forked from openai-quickstart-node