[krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging
Tom Yu via RT
rt-comment at krbdev.mit.edu
Tue Dec 24 15:00:11 EST 2013
"Richard Basch via RT" <rt-comment at krbdev.mit.edu> writes:
> If a user attempts to authenticate with an unknown client or to an unknown service, the service name is not depicted in the Kerberos logs.
>
> This makes anomaly detection harder to perform as well as impede diagnostics.
>
> How to reproduce:
>
> 1. For AS_REQ, simply use kinit with an unknown client name (krbtgt/REALM at REALM will not be logged as the service name).
Can you clarify whether you see this with both krb5-1.11 and
krb5-1.12? By my reading of the code, your patch to do_as_req.c
undoes the move of a code block that happened between krb5-1.11 and
krb5-1.12.
> 2. For TGS_REQ, simply use kvno to query an unknown service name.
As I recall from the code in do_tgs_req.c, the behavior for krb5-1.11
and krb5-1.12 for unknown service principal names should be the same,
so the patch probably applies to both.
More information about the krb5-bugs
mailing list