Auditing Feature in Kerberos
K.G. Gokulavasan
kgokulavasan at novell.com
Wed Mar 22 06:33:12 EST 2006
Hi,
I think auth_time + principal_name can be used to link the TGT and
service ticket issued by TGS. The same information can be used for
auditing. Is this fine or is there a better way to link the TGT and
service ticket issued by TGS?
Regards,
Gokul.
>>> "Douglas E. Engert" <deengert at anl.gov> 1/25/06 2:56 AM >>>
Sam Hartman wrote:
> I think that the big missing part of the current logging system that
> makes it hard to use for auditing is that it does not link service
> tickets that are issued by the TGS to the TGT used to issue them.
>
Cross realm auditing is also a problem, and identifing all the hosts
involved in delegation, even within the same realm.
> The other problem is that the format of the data cannot easily be
> parsed or stored in a database.
>
> --Sam
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list