Projects/Reporting-friendly KDB dump format
This is split from Projects/KDB reporting and bulk operations.
Contents
- 1 Background
- 2 Format choice
- 3 Examples
- 4 Conceptual tables
- 4.1 Principal metadata
- 4.2 Principal keys
- 4.3 Per-principal policy data
- 4.4 Per-principal lockout data
- 4.5 Principal boolean attributes
- 4.6 Principal string attributes
- 4.7 Principal key history metadata
- 4.8 Principal key history
- 4.9 Password policy
- 4.10 Lockout policy
- 4.11 Ticket policy
- 4.12 Policy boolean attributes
- 4.13 Policy allowed keysalts
- 5 C structure cross reference
- 6 tl_data cross reference
Background
Operators often want to perform reporting operations on KDB data, but the dump format is optimized for loading by kdb5_util
, not human reading or reporting using simple scripts. For example, the number of columns on each principal dump line depends on the number of keydata entries associated with that principal. Also, some useful metadata such as modification date are only present in a human-unfriendly hexadecimal format, as an artifact of being stored in the tl_data of the principal.
Format choice
Tab-separated value formats are probably acceptable to the largest variety of tools. These tools range from simple awk scripts to SQL databases. Comma-separated values are easy to add. Various quoting and escaping options exist in various dialects of CSV format. Opinions vary on whether tab-separated formats can use quoting, but in any case, most of the fields will not require quoting if tab-separated.
There are several conceptual database tables, each of which will have a different set of columns. To allow a single combined dump format, each dump line will have a first column that indicates the conceptual table to which it belongs. Another option is to provide command line options to select an individual conceptual table to dump, in which case the table name prefix would be omitted from each line. Headers should be optional, because some tools work better without them.
Examples
These are some examples of how commonly available tools could be used to manipulate output from one of these dumps.
$ cat keyinfo.txt name keyindex kvno enctype salttype salt foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 $ sqlite3 sqlite> .mode tabs sqlite> .import keyinfo.txt keyinfo sqlite> select * from keyinfo where enctype like 'des-cbc-%'; bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 sqlite> .quit $ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
Conceptual tables
This is an attempt to split KDB data fields into a somewhat more normalized schema that is somewhat easier to manipulate for reporting purposes.
Principal metadata
- rectype
- princmeta
- name
- Principal name (krb5_kdb_entry)
- modby
- Last modified by (principal name) (KRB5_TL_MOD_PRINC)
- moddate
- Last modification date (KRB5_TL_MOD_PRINC)
- lastpwd
- Last password change (KRB5_TL_LAST_PWD_CHANGE)
- policy
- Policy object name (osa_princ_ent_rec)
- mkvno
- Master key version used for this principal's key data (KRB5_TL_MKVNO)
Principal keys
There will generally be multiple dump key data dump lines per principal. The order is significant (though typically it's only important within the active kvno), so there will need to be a key index number in case the user imports the dump into a data store that doesn't preserve the ordering of input lines (such as most relational databases).
Some open questions include whether to use numeric values or string representations for enctype or salt type. Maybe this can be a runtime option?
- rectype
- keyinfo (or keydata)
- name
- Principal name (krb5_kdb_entry)
- keyindex
- Key index
- kvno
- Key version number
- enctype
- Enctype
- salttype
- Salt type
- salt
- Salt data as hex string (might be "-1" to denote no salt or normal/default salt)
A sample implementation of a "keyinfo" dump format is at https://github.com/tlyu/krb5/tree/keyinfo
Per-principal policy data
- rectype
- princpolicy
- name
- Principal name
- expiration
- Principal expiration date
- pw_expiration
- Password expiration date
- max_life
- Max ticket lifetime
- max_renew_life
- Max renewable ticket lifetime
Per-principal lockout data
These are the per-KDC (non-replicated) data that track failed logins due to incorrect passwords.
- Principal name
- Last success
- Last failure
- Count of failed attempts
Principal boolean attributes
This is currently an boolean flag word; it's probably best to make it a set of strings. This is a bit tricky because there are some flags that are of the form disallow_*.
- Principal name
- Attribute name if set (string form)
- Boolean value (true/false or 1/0)
Feedback from operators indicates that having a row for each attribute, regardless of whether or not it's set, can be useful to satisfy auditors.
Unknown attributes can probably print as hexadecimal numbers, or optionally ignored.
Principal string attributes
- Principal name
- Attribute name
- Attribute value
Principal key history metadata
- Principal name
- kvno of kadmin/history key (admin_history_kvno)
- old_key_len (internal ring buffer length)
- old_key_next (internal ring buffer index)
Principal key history
This is very similar to the keyinfo/keydata table. There is some weird ring buffer stuff that we may or may not want to reflect in the dump.
- Principal name
- Key index
- Key version number (kvno)
- Enctype
- Salt type
- Salt data as hex string (might be "-1" to denote no salt or normal/default salt)
Password policy
- Policy name
- Min password life
- Max password life
- Min password length
- Min password character classes
- Password history length
Lockout policy
- Policy name
- Max failures
- Failure count reset interval
- Lockout duration
Ticket policy
- Policy name
- Max ticket lifetime
- Max renewable ticket lifetime
Policy boolean attributes
As for principal boolean attributes
Policy allowed keysalts
(Is this an ordered list?)
- Policy name
- Enctype
- Salt type
C structure cross reference
krb5_db_entry
- magic
- (not encoded)
- len
- mask
- (not encoded?)
- attributes
- princflags
- max_life
- princpolicy
- max_renewable_life
- princpolicy
- expiration
- princpolicy
- pw_expiration
- princpolicy
- last_success
- princlockout
- last_failed
- princlockout
- fail_auth_count
- princlockout
- n_tl_data
- (tl_data)
- n_key_data
- keyinfo/keydata
- e_length
- (implicit)
- e_data
- princ_edata
- princ
- (redundant? not for consistency vs db key)
- tl_data
- (tl_data)
- key_data
- keyinfo/keydata
osa_princ_ent_rec
- version
- policy
- princmeta
- aux_attributes
- old_key_len
- oldkeymeta
- old_key_next
- oldkeymeta
- old_keys
- oldkeyinfo/oldkeydata
- admin_history_kvno
- oldkeymeta
tl_data cross reference
- KRB5_TL_LAST_PWD_CHANGE
- princmeta
- KRB5_TL_MOD_PRINC
- princmeta
- KRB5_TL_KADM_DATA
- (see osa_princ_ent_rec)
- KRB5_TL_MKVNO
- princmeta