Auditing Feature in Kerberos
jhutz at cmu.edu
Tue Apr 4 18:35:04 EDT 2006
On Tuesday, April 04, 2006 05:03:36 PM -0400 Jeffrey Altman
<jaltman at mit.edu> wrote:
> greg at enjellic.com wrote:
>> I proposed an exact correllation mechanism in this thread last week.
>> It should be in the archives.
> you suggested the kdc insert a serial number into an authz data type.
>> In the meantime I coded up basic support for it in our authorization
>> payloads. Its trivially easy to implement.
>> I have difficulty understanding the inertia associated with doing this
>> right. Especially when the word 'audit' is involved.
> I believe the issue is that we do not believe that there has been
> consensus on what is "right". Inserting a serial number into tickets
> issued by the kdc can be used to associate the tickets issued in the
> TGS-REP with the TGS-REQ. It can't be used to associate the AS-REP
> with the AS-REQ. For this I believe you must use a hash of the request
> and a hash of the reply.
Huh? The audit log is being generated by the KDC. It knows which AS-REP
goes with which AS-REQ because it's the AS. For an audit trail, the
interesting thing is associating TGS transactions with the earlier AS
transaction that resulted in the TGT. That is, associating an AS-REP with
one or more later TGS-REQ's made using that ticket. For that purpose, a
hash of the TGT can be used.
A serial number in authz data would work too, as long as you're careful to
insure that serial numbers don't get reused in a multi-KDC realm or across
a KDC restart. However, I don't see why inventing a new AD type for this
purpose is better than just hashing the relevant ticket.
More information about the krbdev