Ken Raeburn raeburn at MIT.EDU
Thu Jan 15 15:09:59 EST 2004

On Thursday, Jan 15, 2004, at 14:59 US/Eastern, Prabhakaran vaidya 

> I have a related question. We were trying to look at kdc.log files to 
> find if there was an incorrect password attempt
> and could not find any difference between successful and unsuccessful 
> attempts. Any help how to get this
> information will be appreciated.  By default the KDC is compiled as 
> read only and we have another system of records
> that feeds the KDCs. So we would like to lock at the source and flow 
> it down to KDCs.
> Thanks
> -prab

Are you using a preauthentication scheme?  If not, then there is no 
difference as far as the KDc is concerned.  The client asks for 
something encrypted in the user's key, and the KDC delivers; it doesn't 
know whether the client successfully decrypted it or not.  By examining 
patterns (did the client ask for additional tickets? did another 
initial-ticket request follow shortly?) you might be able to infer what 
probably happened, but it's by no means sure.  (If another 
initial-ticket request came in shortly after the first, perhaps the 
user changed options and explicitly asked for new tickets.)

The preauthentication schemes typically will log something if the data 
they receive (often, not always, including something encrypted using 
the user's key) cannot be decrypted properly, I think.


More information about the krbdev mailing list