Scripting with Interactive Utilities
Hello All, I need to automate the joining of Linux Workstations into Active Directory. I am using the MIT Kerberos implementation. The version of ktutil that ships with the MIT package requires user input (an interactive utility) I would like to use a bash script to call ktutil, any suggestions on how to do this?
Perhaps Tcl Expect would be useful? http://en.wikipedia.org/wiki/Expect Peter
Hello All, I need to automate the joining of Linux Workstations into Active Directory. I am using the MIT Kerberos implementation. The version of ktutil that ships with the MIT package requires user input (an interactive utility)
I would like to use a bash script to call ktutil, any suggestions on how to do this? --- Talk Mailing List talk@gtalug.org http://gtalug.org/mailman/listinfo/talk
-- Peter Hiscocks Syscomp Electronic Design Limited, Toronto http://www.syscompdesign.com USB Oscilloscope and Waveform Generator 647-839-0325
Also, Bash or Python, or anything that can read/write stdin/stdout. Difference is how easy you can write out the script. -- William On Fri, Mar 27, 2015 at 03:05:37PM -0400, phiscock@ee.ryerson.ca wrote:
Perhaps Tcl Expect would be useful? http://en.wikipedia.org/wiki/Expect
Peter
Hello All, I need to automate the joining of Linux Workstations into Active Directory. I am using the MIT Kerberos implementation. The version of ktutil that ships with the MIT package requires user input (an interactive utility)
I would like to use a bash script to call ktutil, any suggestions on how to do this? --- Talk Mailing List talk@gtalug.org http://gtalug.org/mailman/listinfo/talk
-- Peter Hiscocks Syscomp Electronic Design Limited, Toronto http://www.syscompdesign.com USB Oscilloscope and Waveform Generator 647-839-0325
--- Talk Mailing List talk@gtalug.org http://gtalug.org/mailman/listinfo/talk
You can just spit it to stdin of ktutil echo -e "add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96\ntest\nwkt test_srv" | ktutil or if you don't want to keep passwords in shell history, put commands to the file and then cat command_file | ktutil where command file is --- add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96 test wkt test_srv --- Tim On 2015-03-27 13:21, Ansar Mohammed wrote:
Hello All, I need to automate the joining of Linux Workstations into Active Directory. I am using the MIT Kerberos implementation. The version of ktutil that ships with the MIT package requires user input (an interactive utility)
I would like to use a bash script to call ktutil, any suggestions on how to do this?
--- Talk Mailing List talk@gtalug.org http://gtalug.org/mailman/listinfo/talk
On Fri, Mar 27, 2015 at 03:37:03PM -0400, Tim Sattarov wrote:
You can just spit it to stdin of ktutil
echo -e "add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96\ntest\nwkt test_srv" | ktutil
or if you don't want to keep passwords in shell history, put commands to the file and then
It also has the problem that it is in the command line arguments and hence visible in the process table to any user on the system.
cat command_file | ktutil
where command file is --- add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96 test wkt test_srv ---
Of course that means it is written to disk, unless you use a file on a ramdisk, which is also considered bad by sufficiently paranoid people. A file on a ramdisk is an improvement at least. -- Len Sorensen
On Fri, Mar 27, 2015 at 04:54:10PM -0400, Lennart Sorensen wrote:
On Fri, Mar 27, 2015 at 03:37:03PM -0400, Tim Sattarov wrote:
You can just spit it to stdin of ktutil
echo -e "add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96\ntest\nwkt test_srv" | ktutil
or if you don't want to keep passwords in shell history, put commands to the file and then
It also has the problem that it is in the command line arguments and hence visible in the process table to any user on the system.
I guess, you can do something like <(cat file).
On 2015-03-27 16:54, Lennart Sorensen wrote:
On Fri, Mar 27, 2015 at 03:37:03PM -0400, Tim Sattarov wrote:
You can just spit it to stdin of ktutil
echo -e "add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96\ntest\nwkt test_srv" | ktutil
or if you don't want to keep passwords in shell history, put commands to the file and then It also has the problem that it is in the command line arguments and hence visible in the process table to any user on the system. Exactly because of that I suggested variant below cat command_file | ktutil
where command file is --- add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96 test wkt test_srv --- Of course that means it is written to disk, unless you use a file on a ramdisk, which is also considered bad by sufficiently paranoid people.
A file on a ramdisk is an improvement at least.
Seriously ? we want to avoid entering manually sensitive data and yet for security we need to enter it manually ? If it is so, you can once provide GPG password for - decryption of encrypted *sensitive data file* kept on - encrypted ramdrive on - laptop in a safe bunker - transferred over SSH tunnel authenticated with 521kbit ECDSA key (decrypted locally of course) and run your batch off that file. Happy Friday everyone :) Tim
or if you don't want to keep passwords in shell history, put commands to the file and then It also has the problem that it is in the command line arguments and hence visible in the process table to any user on the system. Exactly because of that I suggested variant below cat command_file | ktutil
where command file is --- add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96 test wkt test_srv --- Of course that means it is written to disk, unless you use a file on a ramdisk, which is also considered bad by sufficiently paranoid people.
A file on a ramdisk is an improvement at least.
As we all seem to agree, this is petty insecure. It was acceptable when there was no alternative but currently, one shouldn't go this route. Take a look at FreeIPA. Seriously, it does this petty securely. Better too, it's petty easily to manage which mean it wouldn't be pulled out when you move on. Another thing, every host you enroll into AD count against your licensed cals. If you set up a trust relationship between FreeIPA and AD, you can join hundreds of Linux host without any licensing implications. Lastly, FreeIPA will manage your sudo rules by default, offer host based access control, like which user can ssh in, selinux, ,easy management through puppet just to name a few. Seriously, give FreeIPA a chance and you will realize AD of Linux is here finally. Regards, William
Seriously, give FreeIPA a chance and you will realize AD of Linux is here finally. I was just about to send this message with "Unfortunately FreeIPA is
On 2015-03-27 21:23, William Muriithi wrote: limited to RPM based distributions." but look: https://packages.debian.org/sid/freeipa-server I second this suggestion. FreeIPA is nice way to mirror AD functionality plus more Unix features. Tim
participants (6)
-
Ansar Mohammed -
Lennart Sorensen -
phiscock@ee.ryerson.ca -
Tim Sattarov -
William Muriithi -
William Park