Auditing Feature in Kerberos

greg@enjellic.com greg at enjellic.com
Tue Apr 4 16:37:03 EDT 2006 

On Apr 4,  1:50pm, Nicolas Williams wrote:
} Subject: Re: Auditing Feature in Kerberos

> On Tue, Apr 04, 2006 at 06:49:16AM -0400, K.G. Gokulavasan wrote:
> > Hi,
> >   The scenario where auth_time + principal_name won't be sufficient to
> > link TGT with TGS will be the same principal having requested for 2 TGTs
> > at the same time. Either the request can be from the same host or
> > different hosts. Adding client host address to auth_time +
> > principal_name will help in linking the TGT with TGS when the requests
> > are from different hosts. So the left out one is the same principal
> > requesting for 2 TGTs at the same time from the same host. I feel this
> > is not a common scenario and auth_time + principal_name +
> > client_host_address should be sufficient.

> But that's not enough either, particularly in an authorization-data-rich
> world.
> 
> OTOH, you can't audit all possibly relevant bits of data about a
> request, since that may amount to too much of the request itself.
> 
> I wish initial tickets had some ticket ID that could be referenced by
> subsequent non-initial tickets and which could be used to tie audit
> trails together.  But a Ticket fingerprint will probably do just fine.

I proposed an exact correllation mechanism in this thread last week.
It should be in the archives.

In the meantime I coded up basic support for it in our authorization
payloads.  Its trivially easy to implement.

I have difficulty understanding the inertia associated with doing this
right.  Especially when the word 'audit' is involved.

Based on experiences here it would seem my perception of reality is
markedly different than most others.

> Nico

Greg

}-- End of excerpt from Nicolas Williams

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"Join in the new game that's sweeping the country.  It's called
`Bureaucracy`.  Everybody stands in a circle.  The first person to do
anything loses."
                                -- Steve RTFM Przepiora

More information about the krbdev mailing list