Auditing Feature in Kerberos

K.G. Gokulavasan kgokulavasan at
Tue Apr 4 06:49:16 EDT 2006

  The scenario where auth_time + principal_name won't be sufficient to
link TGT with TGS will be the same principal having requested for 2 TGTs
at the same time. Either the request can be from the same host or
different hosts. Adding client host address to auth_time +
principal_name will help in linking the TGT with TGS when the requests
are from different hosts. So the left out one is the same principal
requesting for 2 TGTs at the same time from the same host. I feel this
is not a common scenario and auth_time + principal_name +
client_host_address should be sufficient.


>>> Jeffrey Hutzelman <jhutz at> 3/28/06 5:40 AM >>>

On Wednesday, March 22, 2006 09:19:39 AM -0500 Jeffrey Altman 
<jaltman at> wrote:

> I'm wondering if it might be useful to store a hash of issued
> in the audit log.  We can then also log the hash of the presented
> ticket in the audit log for the purpose of providing a binding.

Interestinly, that same idea came up in an offline conversation I had
recently about this issue.  I think it's a good one.

-- Jeff

More information about the krbdev mailing list