[krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging
Richard Basch via RT
rt-comment at krbdev.mit.edu
Mon Dec 16 02:49:08 EST 2013
I also noticed one other anomaly... For TGS_REQ server princ lookup
failures, it logs twice...
i.e. two messages stating "Server not found in Kerberos database".
(It only occurs with TGS_REQ, not AS_REQ.)
Aside from the double logging (which is misleading), here is a quick patch
which I think fixes the issue.
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 268d4f4..95c3e23 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -555,6 +555,19 @@ process_as_req(krb5_kdc_req *request, krb5_data
*req_pkt,
}
limit_string(state->cname);
+ if (!state->request->server) {
+ state->status = "NULL_SERVER";
+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto errout;
+ }
+ if ((errcode = krb5_unparse_name(kdc_context,
+ state->request->server,
+ &state->sname))) {
+ state->status = "UNPARSING_SERVER";
+ goto errout;
+ }
+ limit_string(state->sname);
+
/*
* We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint
* to the backend to return naming information in lieu
@@ -604,18 +617,6 @@ process_as_req(krb5_kdc_req *request, krb5_data
*req_pkt,
au_state->stage = SRVC_PRINC;
- if (!state->request->server) {
- state->status = "NULL_SERVER";
- errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- goto errout;
- }
- if ((errcode = krb5_unparse_name(kdc_context,
- state->request->server,
- &state->sname))) {
- state->status = "UNPARSING_SERVER";
- goto errout;
- }
- limit_string(state->sname);
s_flags = 0;
setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c12de2b..76dca73 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -237,6 +237,7 @@ process_tgs_req(struct server_handle *handle, krb5_data
*pkt
errcode = search_sprinc(kdc_active_realm, request, s_flags, &server,
&status);
+ sprinc = request->server;
if (errcode != 0)
goto cleanup;
sprinc = server->princ;
-----Original Message-----
From: krb5-bugs-bounces at MIT.EDU [mailto:krb5-bugs-bounces at MIT.EDU] On Behalf
Of Richard Basch via RT
Sent: Thursday, December 12, 2013 4:19 PM
To: 'AdminCc of krbdev.mit.edu Ticket #7802':
Subject: [krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging
If a user attempts to authenticate with an unknown client or to an unknown
service, the service name is not depicted in the Kerberos logs.
This makes anomaly detection harder to perform as well as impede
diagnostics.
How to reproduce:
1. For AS_REQ, simply use kinit with an unknown client name
(krbtgt/REALM at REALM will not be logged as the service name).
2. For TGS_REQ, simply use kvno to query an unknown service name.
What should have happened:
It should log the attempt for "client for service", not "client for <unknown
server>"
____________________________________________________________________________
__
Richard Basch
VP, Technology - Critical Infrastructure
30 Hudson St. 24th Floor | Jersey City, NJ 07302
Goldman, Sachs & Co
richard.basch at gs.com<mailto:richard.basch at gs.com> | +1 (917) 343-4071
P Save a tree: Please don't print this mail unless necessary.
The Goldman Sachs Group, Inc. All rights reserved.
See http://www.gs.com/disclaimer/global_email for important risk
disclosures, conflicts of interest and other terms and conditions relating
to this e-mail and your reliance on information contained in it. This
message may contain confidential or privileged information. If you are not
the intended recipient, please advise us immediately and delete this
message. See http://www.gs.com/disclaimer/email for further information on
confidentiality and the risks of non-secure electronic communication. If
you cannot access these links, please notify us by reply message and we will
send the contents to you.
_______________________________________________
krb5-bugs mailing list
krb5-bugs at mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
More information about the krb5-bugs
mailing list