Auditing Feature in Kerberos

Nicolas Williams Nicolas.Williams at
Tue Apr 4 14:50:44 EDT 2006

On Tue, Apr 04, 2006 at 06:49:16AM -0400, K.G. Gokulavasan wrote:
> Hi,
>   The scenario where auth_time + principal_name won't be sufficient to
> link TGT with TGS will be the same principal having requested for 2 TGTs
> at the same time. Either the request can be from the same host or
> different hosts. Adding client host address to auth_time +
> principal_name will help in linking the TGT with TGS when the requests
> are from different hosts. So the left out one is the same principal
> requesting for 2 TGTs at the same time from the same host. I feel this
> is not a common scenario and auth_time + principal_name +
> client_host_address should be sufficient.

But that's not enough either, particularly in an authorization-data-rich

OTOH, you can't audit all possibly relevant bits of data about a
request, since that may amount to too much of the request itself.

I wish initial tickets had some ticket ID that could be referenced by
subsequent non-initial tickets and which could be used to tie audit
trails together.  But a Ticket fingerprint will probably do just fine.


More information about the krbdev mailing list