Log data on KDC

Russ Allbery rra at stanford.edu
Wed Mar 21 16:07:32 EDT 2012


Jeff Blaine <jblaine at kickflop.net> writes:

> What should I be concerned about from krb5kdc.log getting off of a KDC?
> I'm often not as out-of-the-box thinking as I need to be when it comes
> to possibly sensitive/exploitable information in the hands of someone
> with an agenda.

User privacy, basically.  The KDC log will tell you every Kerberized
service that every user authenticated to, and when they did so.  It will
also tell you what IP addresses they were at during particular times,
which in combination with a good GeoIP database will tell you their
physical location.  If your site uses Kerberos heavily and allows access
to traveling users, you can from that derive rather extensive information
about people's movements and their usage patterns.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list