analysis of krb5kdc.log
Ken Raeburn
raeburn at MIT.EDU
Mon Feb 20 15:29:17 EST 2006
On Feb 19, 2006, at 20:02, Matthew Cocker wrote:
> I have finally started to get around to analysing the krb5kdc.logs
> from
> our production server. Most of it was simple but I can't seem to
> find a
> marker for a failed login with an incorrect password. I see the
> same log
> entry for sucessful or unsuccessful logins using kinit?
> Is it even possible to tell from the KDC?
If you're not using some sort of preauth system, then no, not
directly. In both cases, the KDC sends something encrypted using the
user's password; the KDC doesn't know whether the user was able to
decrypt it. You could look to see if additional tickets were issued
to that user, but there's nothing in the logs tying the additional
tickets to the initial ticket request. (In some cases the addresses
from which the request was received will be consistent, however, if
there's more than one initial ticket request within a few hours, you
can't distinguish them, and laptops or dialup systems or other
dynamically addressed systems may change addresses over a short
enough time span that previously issued TGTs may still be valid.)
If you are using preauth, then you should be able to note incorrect
preauth information sent, but depending on the preauth system, it may
or may not be due to an incorrect password versus other causes.
Ken
More information about the Kerberos
mailing list