query about a possible "KRB5KEYLOGFILE" feature, to log session keys

Richard E. Silverman res at qoxp.net
Sun Mar 17 23:44:28 EDT 2024


> 2. A client may not have access to the session keys in its ccache, e.g. if 
> it’s using gssproxy.

Oops, sorry -- that’s a little off the mark. In that case of course session-key logging won’t help the client directly, since it doesn’t perform those operations or call libkrb5 itself at all; the gssproxy daemon does. In that case we’d apply KRB5KEYLOGFILE to the daemon. But there is a second reason nonetheless: it’s easier for debugging. A long-lived client process under observation could have its ccache flushed by ticket renewal or similar management, losing the needed session keys (and a mechanism like gssproxy could in fact have several ccaches it manages) -- whereas setting KRB5KEYLOGFILE would reliably capture them all without extra work.

-- 
   Richard


More information about the Kerberos mailing list