Bash 编写脚本Kerberos Ktutil以生成键表
我想制作一个脚本,使用ktutil生成一个keytab。运行我想要使用的脚本时 [用户]$script.sh密码Bash 编写脚本Kerberos Ktutil以生成键表,bash,passwords,pipe,kerberos,keytab,Bash,Passwords,Pipe,Kerberos,Keytab,我想制作一个脚本,使用ktutil生成一个keytab。运行我想要使用的脚本时 [用户]$script.sh密码 #script.sh echo "addent -password -p PRINCIPAL -k 1 -e aes256-cts-hmac-sha1-96" | ktutil Ktutil需要一个密码,这里我想使用上面的password参数。我如何传递密码争论 使用GNU bash: user="PRINCIPAL" pass="topsecret" printf "%b" "
#script.sh
echo "addent -password -p PRINCIPAL -k 1 -e aes256-cts-hmac-sha1-96" | ktutil
Ktutil需要一个密码,这里我想使用上面的password参数。我如何传递密码争论 使用GNU bash:
user="PRINCIPAL"
pass="topsecret"
printf "%b" "addent -password -p $user -k 1 -e aes256-cts-hmac-sha1-96\n$pass\nwrite_kt $user.keytab" | ktutil
printf "%b" "read_kt $user.keytab\nlist" | ktutil
输出:
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 PRINCIPAL@YOURDOMAIN
插槽KVNO主体
---- ---- ---------------------------------------------------------------------
1 1 PRINCIPAL@YOURDOMAIN
Python版本
在shell中将密码传送到ktutil是不安全的,因为密码将在进程列表中可见
由于此Python脚本仅使用pexpect库与ktutil交互,因此可以使用实现与纯shell脚本相同的功能
希望这有帮助。要同时创建多个orgs键表和默认的hbase、pipe、hdfs键表,您可以运行我刚刚创建的以下脚本:
#!/bin/bash
read -p "Please enter space-delimited list of ORGS to create: " NEW_ORGS
clear
#echo "################# CREATE KEYTABS ############################"
#echo ""
kdestroy
for i in $NEW_ORGS
do
printf "%b" "addent -password -p ${i} -k 1 -e aes256-cts-hmac-sha1-96\n${i}\nwrite_kt ${i}.keytab" | ktutil
printf "%b" "read_kt ${i}.keytab\nlist" | ktutil
done
echo ""
if [ ! -e /home/eip/.keytabs/hbase.keytab ]
then
printf "%b" "addent -password -p hbase -k 1 -e aes256-cts-hmac-sha1-96\nhbase\nwrite_kt hbase.keytab" | ktutil
printf "%b" "read_kt hbase.keytab\nlist" | ktutil
fi
exit 0
享受
使用
expect
将密码排除在流程列表之外:
expect << EOF
set timeout 10
spawn /usr/bin/ktutil
expect {
"ktutil: " { send "addent -password -p $PRINCIPAL -k 1 -e $METHOD\r" }
timeout { puts "Timeout waiting for ktutil prompt."; exit 1; }
}
expect {
-re "Password for \\\\S+: " { send "$PASSWORD\r" }
timeout { puts "Timeout waiting for password prompt."; exit 1; }
}
expect {
"ktutil: " { send "wkt $KEYTAB_TMP\r" }
}
expect {
"ktutil: " { send "q\r" }
}
EOF
这不安全。密码将可见。添加新条目时无法读取密码
expect << EOF
set timeout 10
spawn /usr/bin/ktutil
expect {
"ktutil: " { send "addent -password -p $PRINCIPAL -k 1 -e $METHOD\r" }
timeout { puts "Timeout waiting for ktutil prompt."; exit 1; }
}
expect {
-re "Password for \\\\S+: " { send "$PASSWORD\r" }
timeout { puts "Timeout waiting for password prompt."; exit 1; }
}
expect {
"ktutil: " { send "wkt $KEYTAB_TMP\r" }
}
expect {
"ktutil: " { send "q\r" }
}
EOF
/usr/bin/ktutil <<EOF
addent -password -p $PRINCIPAL -k 1 -e $METHOD
$PASSWORD
wkt $KEYTAB_TMP
q
EOF