Auditing Feature in Kerberos
greg@enjellic.com
greg at enjellic.com
Thu Mar 23 09:24:28 EST 2006
On Mar 22, 6:33am, "K.G. Gokulavasan" wrote:
} Subject: Re: Auditing Feature in Kerberos
> Hi,
Good morning to everyone.
> I think auth_time + principal_name can be used to link the TGT and
> service ticket issued by TGS. The same information can be used for
> auditing. Is this fine or is there a better way to link the TGT and
> service ticket issued by TGS?
Place a hook in the AS_REQ/TGS_REQ routines. Define an ad_type to
hold a serial number which gets incremented for each AS_REQ and
returned in the TGT. Look for the serial number in the TGT when
processing the TGS_REQ.
Bonus points for using a long long for the serial number and saving it
over restarts of the KDC.
To properly handle cross-realm the KDC's will need to cooperate.
Probably not a stretch of imagination if the KDC's are within the
context of a larger organization. Extend the ad_data payload to
include the IP address of the KDC issueing the cross-realm ticket with
the serial number.
> Regards,
> Gokul.
Have a good day.
Greg
}-- End of excerpt from "K.G. Gokulavasan"
As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-1686
FAX: 701-281-3949 EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"Because the innovator has for enemies all those who have done well
under the old conditions, and lukewarm defenders in those who may do
well under the new."
-- Niccolo Machiavelli
_The Prince_, Chapter VI
More information about the krbdev
mailing list