KRBCONF_KDC_MODIFIES_KDB
Ken Raeburn
raeburn at MIT.EDU
Thu Jan 15 15:09:59 EST 2004
On Thursday, Jan 15, 2004, at 14:59 US/Eastern, Prabhakaran vaidya
wrote:
> I have a related question. We were trying to look at kdc.log files to
> find if there was an incorrect password attempt
> and could not find any difference between successful and unsuccessful
> attempts. Any help how to get this
> information will be appreciated. By default the KDC is compiled as
> read only and we have another system of records
> that feeds the KDCs. So we would like to lock at the source and flow
> it down to KDCs.
> Thanks
> -prab
Are you using a preauthentication scheme? If not, then there is no
difference as far as the KDc is concerned. The client asks for
something encrypted in the user's key, and the KDC delivers; it doesn't
know whether the client successfully decrypted it or not. By examining
patterns (did the client ask for additional tickets? did another
initial-ticket request follow shortly?) you might be able to infer what
probably happened, but it's by no means sure. (If another
initial-ticket request came in shortly after the first, perhaps the
user changed options and explicitly asked for new tickets.)
The preauthentication schemes typically will log something if the data
they receive (often, not always, including something encrypted using
the user's key) cannot be decrypted properly, I think.
Ken
More information about the krbdev
mailing list