On Wed, Apr 21, 2021 at 6:42 AM Ken Hornstein <k...@cmf.nrl.navy.mil> wrote:
> > Is there another command that is more script-friendly? If not, > > can someone share a good way to pass args to the MIT ktutil? > > I think "klist -k" does what you want. You can pass arguments to > ktutil in a script via stdin and parse the output (we do that via a > script), that looks something like: > > (echo "rkt $keytab" ; echo "list") | ktutil | [parse output] > > The script this is from is so old, it predates the widespread use of > the 'printf' command; that would probably be cleaner now. Related to this: it would be tremendously useful if klist had a flag to generate output intended to be machine-parsable, such as CSV or JSON. Yeah, I get it: the MIT Kerberos software predates UTF-8, let alone JSON, and was written at a time when wizened greybeards (not machines) were the ones parsing "klist" output. In terms of development priorities versus free developer cycles, making klist output CSV/JSON is probably far down on the priority stack. But still. Not being able to get machine-readable output out of klist turns what should be simple and useful scripting tasks, such as "scan the 9 different TGTs in my credential cache collection and renew any that expire in less than 12 hours", into "whee, I guess I'm writing a finite-state automaton in shell again". And while "klist -k" is a lot easier to parse than "klist" output (because it's not multi-line), given that at our site we send a boatload of host telemetry into Splunk every 30 minutes via an input script that just execs "puppet facts --render-as json", it's frustrating that there's no easy way to send up keytab data as well. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos