Log data on KDC

Roland C. Dowdeswell elric at imrryr.org
Thu Apr 19 18:27:57 EDT 2012


On Wed, Mar 21, 2012 at 01:07:32PM -0700, Russ Allbery wrote:
>

> Jeff Blaine <jblaine at kickflop.net> writes:
> 
> > What should I be concerned about from krb5kdc.log getting off of a KDC?
> > I'm often not as out-of-the-box thinking as I need to be when it comes
> > to possibly sensitive/exploitable information in the hands of someone
> > with an agenda.
> 
> User privacy, basically.  The KDC log will tell you every Kerberized
> service that every user authenticated to, and when they did so.  It will
> also tell you what IP addresses they were at during particular times,
> which in combination with a good GeoIP database will tell you their
> physical location.  If your site uses Kerberos heavily and allows access
> to traveling users, you can from that derive rather extensive information
> about people's movements and their usage patterns.

You can also glean passwds from the logs by looking for AS_REQs for
non-existent principals.  Users have a tendeny to enter the passwd at
the user prompt when using certain login applications and these will
appear in your logs as a failed AS_REQ for <their_passwd>@<your_realm>.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/


More information about the Kerberos mailing list