Auditing Feature in Kerberos greg at
Thu Mar 23 09:24:28 EST 2006

On Mar 22,  6:33am, "K.G. Gokulavasan" wrote:
} Subject: Re: Auditing Feature in Kerberos

> Hi,

Good morning to everyone.

>   I think auth_time + principal_name can be used to link the TGT and
> service ticket issued by TGS. The same information can be used for
> auditing. Is this fine or is there a better way to link the TGT and
> service ticket issued by TGS?

Place a hook in the AS_REQ/TGS_REQ routines.  Define an ad_type to
hold a serial number which gets incremented for each AS_REQ and
returned in the TGT.  Look for the serial number in the TGT when
processing the TGS_REQ.

Bonus points for using a long long for the serial number and saving it
over restarts of the KDC.

To properly handle cross-realm the KDC's will need to cooperate.
Probably not a stretch of imagination if the KDC's are within the
context of a larger organization.  Extend the ad_data payload to
include the IP address of the KDC issueing the cross-realm ticket with
the serial number.

> Regards,
>  Gokul.

Have a good day.


}-- End of excerpt from "K.G. Gokulavasan"

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at
"Because the innovator has for enemies all those who have done well
under the old conditions, and lukewarm defenders in those who may do
well under the new."
                                 -- Niccolo Machiavelli
                                    _The Prince_, Chapter VI

More information about the krbdev mailing list