"Last successful authentication" always set to "never"
John Hascall
john at iastate.edu
Wed Oct 15 15:20:31 EDT 2003
> [... re logs as an alternative source ]
> > Without preauth you can't tell a successful from
> > unsuccessful attempt.
> At all, right? What would `successful authentication' mean
> at the KDC in the absence of preauthentication? I am probably
> confused about something here.
Without preauth the kerberos TGT protocol is essentially:
client: "send me a TGT for principal foo"
server: "here's something encrypted in foo's key" hope you can decode it
So all you see is the request/reply in the log, you have no idea if
the requestor has the proper key (password) to decode the message.
With preauth, the client has to start the conversation
with: "here a thing encrypted in foo's key" so the server
can know if they have the right key or not -- and log it
thusly:
Oct 10 06:53:36 kerberos-1.iastate.edu krb5kdc[9196](info): \
AS_REQ (7 etypes {3 1 2 16 8 23 0}) 129.186.97.220(88): \
PREAUTH_FAILED: janeuser at IASTATE.EDU for krbtgt/IASTATE.EDU at IASTATE.EDU, \
Preauthentication failed
John
More information about the Kerberos
mailing list