Auditing Feature in Kerberos
kgokulavasan at novell.com
Tue Apr 4 06:49:16 EDT 2006
The scenario where auth_time + principal_name won't be sufficient to
link TGT with TGS will be the same principal having requested for 2 TGTs
at the same time. Either the request can be from the same host or
different hosts. Adding client host address to auth_time +
principal_name will help in linking the TGT with TGS when the requests
are from different hosts. So the left out one is the same principal
requesting for 2 TGTs at the same time from the same host. I feel this
is not a common scenario and auth_time + principal_name +
client_host_address should be sufficient.
>>> Jeffrey Hutzelman <jhutz at cmu.edu> 3/28/06 5:40 AM >>>
On Wednesday, March 22, 2006 09:19:39 AM -0500 Jeffrey Altman
<jaltman at mit.edu> wrote:
> I'm wondering if it might be useful to store a hash of issued
> in the audit log. We can then also log the hash of the presented
> ticket in the audit log for the purpose of providing a binding.
Interestinly, that same idea came up in an offline conversation I had
recently about this issue. I think it's a good one.
More information about the krbdev