krb5dissect
Introduction
The krb5dissect is a tool to read Kerberos credentials files
and print them in a human readable format. It supports the
ccache /tmp/krb5cc_$UID and keytab /etc/krb5.keytab formats.
Krb5dissect also provides a standalone C89 implementation of a
Kerberos ccache and keytab parser, which you can re-use in your
own project, by simply copying ccache.h
and ccache.c, or keytab.h
and keytab.c respectively. They do not require the
rest of krb5dissect, autoconf, or even each other, they are
fully standalone. Build with -DTEST to build a simplistic
frontend similar to the one in krb5dissect. This "source code
library" is used by Shishi.
The goal of this implementation is to be highly portable, and
only require an ANSI C89 platform.
If you want help with using or adapting this implementation on
a commercial basis,
please contact me.
Krb5dissect is licensed under the
GNU General Public License.
What's new
See the
NEWS file from live sources.
Documentation
There is a man page included in the distribution.
The formats are documented in
ccache.txt
and
keytab.txt.
Download
The releases are distributed from
the release directory.
All releases are signed with an
OpenPGP key with fingerprint 0xB565716F.
Examples
Basic invocation.
jas@mocca:~$ krb5dissect
krb5dissect 2.1
Copyright (C) 2007 Simon Josefsson.
This is free software. You may redistribute copies of it under the terms of
the GNU General Public License .
There is NO WARRANTY, to the extent permitted by law.
Written by Simon Josefsson.
krb5dissect 2.1
Display Kerberos 5 credentials, read from FILE, in text form.
When FILE is -, read standard input.
Supported formats are the version 0x0502 Kerberos 5 keytab and the
version 0x0504 Kerberos 5 ccache. Keytabs are typically stored in
/etc/krb5.keytab and ccache in /tmp/krb5cc_$UID. The tool
automatically detect the format and selects the appropriate decoder.
Usage: krb5dissect [OPTIONS]... FILE
-h, --help Print help and exit
-V, --version Print version and exit
-k, --keytab Read from /etc/krb5.keytab instead of stdin.
-c, --ccache Read from /tmp/krb5cc_$UID instead of stdin.
--quiet Don't print initial banner (default=off)
jas@mocca:~$
Print the contents of the host's /etc/krb5.keytab.
dopio:~# krb5dissect --quiet --keytab
file_format_version 0502
Keytab entry 0:
size 003d
num_components 9ff4
num_components 0002
realmlen 0013
realm DOPIO.JOSEFSSON.ORG
componentlen 0004
component host
componentlen 0005
component dopio
name_type 0001
key:
vno8 0001
keytype 0003
keylen 0008
key value: 0123...
vno 0001
...
dopio:~#
Print the contents of your /tmp/krb5cc_$UID.
jas@mocca:~$ krb5dissect --quiet --ccache
file_format_version 0504
headerlen 000c
default_principal
name_type 0001
num_components 0001
realmlen 0013
realm DOPIO.JOSEFSSON.ORG
componentlen 0003
component jas
Ccache entry 0:
client:
name_type 0001
num_components 0001
realmlen 0013
realm DOPIO.JOSEFSSON.ORG
componentlen 0003
component jas
server:
name_type 0000
num_components 0002
realmlen 0013
realm DOPIO.JOSEFSSON.ORG
componentlen 0006
component krbtgt
componentlen 0013
component DOPIO.JOSEFSSON.ORG
key:
keytype 0012
etype 0000
keylen 0020
key value: 0123...
times:
authtime 45f7d395
starttime 45f7d395
endtime 45f92513
renew_till 0000
is_skey 0000
tktflags 6050
ticketlen 0118
second_ticketlen 0000
jas@mocca:~$
Development
The online GIT
repository is available.
Simon Josefsson