logo_kerberos.gif

Projects/Reporting-friendly KDB dump format improvements

From K5Wiki
Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


This project includes improvements to Projects/Reporting-friendly KDB dump format.

Contents

Conceptual tables

Principal key history

This is very similar to the keyinfo/keydata table. There is some weird ring buffer stuff that we may or may not want to reflect in the dump.

  • Principal name
  • Key index
  • Key version number (kvno)
  • Enctype
  • Salt type
  • Salt data as hex string (might be "-1" to denote no salt or normal/default salt)

Password policy

  • Policy name
  • Min password life
  • Max password life
  • Min password length
  • Min password character classes
  • Password history length

Lockout policy

  • Policy name
  • Max failures
  • Failure count reset interval
  • Lockout duration

Ticket policy

  • Policy name
  • Max ticket lifetime
  • Max renewable ticket lifetime

Policy boolean attributes

As for principal boolean attributes

Policy allowed keysalts

(Is this an ordered list?)

  • Policy name
  • Enctype
  • Salt type

C structure cross reference

krb5_db_entry

magic
(not encoded)
len
mask
(not encoded?)
attributes
princ_flags
max_life
princ_tktpolicy
max_renewable_life
princ_tktpolicy
expiration
princ_tktpolicy
pw_expiration
princ_tktpolicy
last_success
princ_lockout
last_failed
princ_lockout
fail_auth_count
princ_lockout
n_tl_data
(tl_data)
n_key_data
keyinfo/keydata
e_length
(implicit)
e_data
princ_edata
princ
(everywhere)
tl_data
(tl_data)
key_data
keyinfo/keydata

osa_princ_ent_rec

version
policy
princ_meta
aux_attributes
old_key_len
(implicit in oldkeyinfo/oldkeydata)
old_key_next
(implicit in oldkeyinfo/oldkeydata)
old_keys
oldkeyinfo/oldkeydata
admin_history_kvno
princ_meta

tl_data cross reference

KRB5_TL_LAST_PWD_CHANGE
princ_meta
KRB5_TL_MOD_PRINC
princ_meta
KRB5_TL_KADM_DATA
(see osa_princ_ent_rec)
KRB5_TL_MKVNO
princ_meta
Personal tools