Log data on KDC
Roland C. Dowdeswell
elric at imrryr.org
Thu Apr 19 18:27:57 EDT 2012
On Wed, Mar 21, 2012 at 01:07:32PM -0700, Russ Allbery wrote:
>
> Jeff Blaine <jblaine at kickflop.net> writes:
>
> > What should I be concerned about from krb5kdc.log getting off of a KDC?
> > I'm often not as out-of-the-box thinking as I need to be when it comes
> > to possibly sensitive/exploitable information in the hands of someone
> > with an agenda.
>
> User privacy, basically. The KDC log will tell you every Kerberized
> service that every user authenticated to, and when they did so. It will
> also tell you what IP addresses they were at during particular times,
> which in combination with a good GeoIP database will tell you their
> physical location. If your site uses Kerberos heavily and allows access
> to traveling users, you can from that derive rather extensive information
> about people's movements and their usage patterns.
You can also glean passwds from the logs by looking for AS_REQs for
non-existent principals. Users have a tendeny to enter the passwd at
the user prompt when using certain login applications and these will
appear in your logs as a failed AS_REQ for <their_passwd>@<your_realm>.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
More information about the Kerberos
mailing list