"Last successful authentication" always set to "never"

John Hascall john at iastate.edu
Wed Oct 15 15:20:31 EDT 2003


> [... re logs as an alternative source ]
> >      Without preauth you can't tell a successful from
> >      unsuccessful attempt.

> At all, right?  What would `successful authentication' mean
> at the KDC in the absence of preauthentication?  I am probably
> confused about something here.

Without preauth the kerberos TGT protocol is essentially:

   client: "send me a TGT for principal foo"
   server: "here's something encrypted in foo's key" hope you can decode it

So all you see is the request/reply in the log, you have no idea if
the requestor has the proper key (password) to decode the message.

   With preauth, the client has to start the conversation
   with: "here a thing encrypted in foo's key" so the server
   can know if they have the right key or not -- and log it
   thusly:

Oct 10 06:53:36 kerberos-1.iastate.edu krb5kdc[9196](info): \
AS_REQ (7 etypes {3 1 2 16 8 23 0}) 129.186.97.220(88): \
PREAUTH_FAILED: janeuser at IASTATE.EDU for krbtgt/IASTATE.EDU at IASTATE.EDU, \
Preauthentication failed

John



More information about the Kerberos mailing list