tracking user activities in kerberos
Ken Raeburn
raeburn at MIT.EDU
Fri Jun 22 18:40:10 EDT 2007
On Jun 22, 2007, at 18:02, Gopal Paliwal wrote:
> I wanted to know is there any way in kerberos by which I would be
> able to
> track the user activities.
>
> By tracking I mean that I should be able to know that currently
> which user
> is having ticket for which service, how many times did that user
> accessed
> that service in last 'x' number of days, how many times did he
> successfully
> authenticated & how many times did he failed authentication process.
Depends on your implementations. Obviously you could have your
servers log accesses. The MIT KDC will log which tickets are issued,
but won't indicate the lifetimes of the tickets, and the KDC doesn't
know whether or when or how often they actually get used. Usually
they're not requested unless they're about to be used, though.
Successful and failed initial authentication aren't recorded in the
default case because the KDC doesn't have that information -- it only
knows who asked for initial credentials and when, and can't
distinguish a legitimate user from someone trying to break into the
account. (You could look for multiple initial-ticket requests from a
single source in a short period of time, but that merely suggests
that someone is getting the password wrong and keeps trying. A
serious attacker is likely to make one request, and then try many
passwords to decrypt it -- which looks just the same as when the user
actually logs in.) If you enable some kind of preauthentication
scheme, that may provide more information to the KDC, by requiring
some degree of authentication before tickets get issued.
Ken
More information about the Kerberos
mailing list