Auditing Feature in Kerberos
Jeffrey Altman
jaltman at MIT.EDU
Wed Mar 22 09:19:39 EST 2006
K.G. Gokulavasan wrote:
> Hi,
> I think auth_time + principal_name can be used to link the TGT and
> service ticket issued by TGS. The same information can be used for
> auditing. Is this fine or is there a better way to link the TGT and
> service ticket issued by TGS?
>
> Regards,
> Gokul.
I'm wondering if it might be useful to store a hash of issued tickets
in the audit log. We can then also log the hash of the presented
ticket in the audit log for the purpose of providing a binding.
Other thoughts that have come to mind are:
* for referrals we should log the requested name and the
name to which the client was referred
* if the server is performing name canonicalization we should log
the requested name as well as the issued name
* for pkinit we should probably log some information describing
the certificate or public/private key pair used for the initial
authentication
Jeffrey Altman
More information about the krbdev
mailing list