Snapshot of monthly KDC traffic for stanford.edu
Russ Allbery
rra at stanford.edu
Thu Apr 1 17:32:42 EDT 2010
I just finished the metrics scripts that generate this information and
thought a snapshot of what one site sees over the course of a month may be
of general interest.
Kerberos authentications from 2010-03-01 to 2010-03-31
Initial authentications: 141,593,443
Service tickets: 47,641,042
Total tickets issued: 189,234,485
Unique users in 2010-03: 45,499
Unique services in 2010-03: 1,108
Breakdown of initial authentications:
Type Count Percent
-------- ----------- -------
Users 87,062,015 61.5%
CGI 13,150,066 9.3%
Services 41,381,362 29.2%
-------- ----------- -------
TOTAL: 141,593,443
Breakdown of service tickets:
Type Count Percent
-------- ---------- -------
Users 20,883,723 43.8%
CGI 14,888,789 31.3%
Services 11,868,530 24.9%
-------- ---------- -------
TOTAL: 47,641,042
The terminology has been managementized. "Initial authentications" are
AS-REQs and "Service tickets" are TGS-REQs, currently including the
TGS-REQ for ticket renewals. In the type breakdown, users are the
principals that mean someone was entering a password, and services is
everything else. Unique users only counts the users with passwords, not
the other stuff. "Unique services," in a minor conflation of terminology,
is the number of unique principals for which we issued service tickets in
the course of the month.
I'm intrigued by the *huge* margin between the number of initial
authentications and the number of service tickets issued. This appears to
be due to a couple of factors: large numbers of desktops without keytabs
that use Kerberos for local authentication, screen lock, and so forth; and
the habit of some implementations, apparently, of spraying the KDCs with
AS-REQs when authenticating rather than sending only one.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list