Snapshot of monthly KDC traffic for stanford.edu

[Russ Allbery]

I just finished the metrics scripts that generate this information and
thought a snapshot of what one site sees over the course of a month may be
of general interest.

Kerberos authentications from 2010-03-01 to 2010-03-31 

Initial authentications: 141,593,443
        Service tickets:  47,641,042
   Total tickets issued: 189,234,485

   Unique users in 2010-03: 45,499
Unique services in 2010-03:  1,108

Breakdown of initial authentications:

Type            Count  Percent
--------  -----------  -------
Users      87,062,015    61.5%
CGI        13,150,066     9.3%
Services   41,381,362    29.2%
--------  -----------  -------
TOTAL:    141,593,443         

Breakdown of service tickets:

Type           Count  Percent
--------  ----------  -------
Users     20,883,723    43.8%
CGI       14,888,789    31.3%
Services  11,868,530    24.9%
--------  ----------  -------
TOTAL:    47,641,042         

The terminology has been managementized.  "Initial authentications" are
AS-REQs and "Service tickets" are TGS-REQs, currently including the
TGS-REQ for ticket renewals.  In the type breakdown, users are the
principals that mean someone was entering a password, and services is
everything else.  Unique users only counts the users with passwords, not
the other stuff.  "Unique services," in a minor conflation of terminology,
is the number of unique principals for which we issued service tickets in
the course of the month.

I'm intrigued by the *huge* margin between the number of initial
authentications and the number of service tickets issued.  This appears to
be due to a couple of factors: large numbers of desktops without keytabs
that use Kerberos for local authentication, screen lock, and so forth; and
the habit of some implementations, apparently, of spraying the KDCs with
AS-REQs when authenticating rather than sending only one.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>