Bruce: A Command Line Kerberos.NET Management Tool

The Kerberos.NET library is incredibly flexible in what it allows you to do with Kerberos-related things...in code. However, sometimes you don't want to write a bunch of boilerplate code and just want to test out a few scenarios or set up an environment that's compatible with MIT Kerberos, Heimdal, or Windows.

In an attempt to make things easier I recently built and published a new command line tool called Bruce*. It follows the MIT and Heimdal model for tooling. There's a bunch of commands separated into logical purposes:

1. kinit -- Obtain and cache a Kerberos Ticket-Granting-Ticket.
2. klist -- Displays the current list of tickets in the cache.
3. kconfig -- Set or review configuration settings at the default path.
4. kdestroy -- Delete the ticket cache.
5. kdecode -- Decode tickets into readable structures and optionally decrypt with a provided key.
6. kping -- Initiate an AS-REQ "ping' request to a KDC of the current or provided user and list all the details.
7. ktpass -- View and manipulate keytab files with added support for troubleshooting.

The Bruce tool is a simple shell-like environment that lets you call the commands within itself or from it's own command line.

  ____
 | __ ) _ __ _   _  ___ ___
 |  _ \| '__| | | |/ __/ _ \
 | |_) | |  | |_| | (_|  __/
 |____/|_|   \__,_|\___\___|


Command Line tooling for the Kerberos.NET library. (v4.5.14+0131d7e8b6)

(C) Copyright 2020 .NET Foundation

bruce>kinit

Password for steve@SYFUHS.NET: ******************************

Ticket Count: 1

#0>                 Client:  steve @ SYFUHS.NET
                    Server:  krbtgt/SYFUHS.NET @ SYFUHS.NET
              Ticket EType:  AES256_CTS_HMAC_SHA1_96
                     Flags:  EncryptedPreAuthentication, PreAuthenticated, Initial, Renewable, Forwardable
                Start Time:  12/31/1969 4:00:00 PM -08:00
                  End Time:  9/11/2020 9:37:15 PM -07:00
               Renew Until:  9/12/2020 11:37:15 AM -07:00

bruce>_

For added flexibility you can also copy and rename the bruce.exe into any of the above commands and they'll act as if they were their own self-contained commands.

C:\dev\>copy bruce.exe kinit.exe
C:\dev\>kinit.exe
Password for steve@SYFUHS.NET: ******************************

Ticket Count: 1

#0>                 Client:  steve @ SYFUHS.NET
                    Server:  krbtgt/SYFUHS.NET @ SYFUHS.NET
              Ticket EType:  AES256_CTS_HMAC_SHA1_96
                     Flags:  EncryptedPreAuthentication, PreAuthenticated, Initial, Renewable, Forwardable
                Start Time:  12/31/1969 4:00:00 PM -08:00
                  End Time:  9/11/2020 9:43:55 PM -07:00
               Renew Until:  9/12/2020 11:43:55 AM -07:00

C:\dev\>_

Why didn't you just create a bunch of different command line tools then?

Because I just didn't want to.

The commands are extensible. You can create your own if you want. It just requires some attribute decorations:

    [CommandLineCommand("klist", Description = "KerberosList")]
    public class KerberosListCommand : BaseCommand

Getting the Tool

The tool is shipped as a dotnet tool right now. It's called 'bruce'. Go figure.

> dotnet tool install -g bruce

A standalone installer is forthcoming.

*Why the name Bruce?

Bruce is our guard dog.