Auditing Feature in Kerberos

Jeffrey Altman jaltman at MIT.EDU
Tue Apr 4 17:03:36 EDT 2006

greg at wrote:
> I proposed an exact correllation mechanism in this thread last week.
> It should be in the archives.

you suggested the kdc insert a serial number into an authz data type.

> In the meantime I coded up basic support for it in our authorization
> payloads.  Its trivially easy to implement.
> I have difficulty understanding the inertia associated with doing this
> right.  Especially when the word 'audit' is involved.

I believe the issue is that we do not believe that there has been
consensus on what is "right".  Inserting a serial number into tickets
issued by the kdc can be used to associate the tickets issued in the
TGS-REP with the TGS-REQ.  It can't be used to associate the AS-REP
with the AS-REQ.  For this I believe you must use a hash of the request
and a hash of the reply.

You argued that using hashes won't work when there are multiple KDCs
involved?  Can you elaborate on why you believe this to be true and
how the serial number would solve the problem?

Jeffrey Altman

More information about the krbdev mailing list