Auditing Feature in Kerberos

Sam Hartman hartmans at MIT.EDU
Thu Mar 23 09:35:05 EST 2006

>>>>> "greg" == greg  <greg at> writes:

    greg> On Mar 22, 6:33am, "K.G. Gokulavasan" wrote: } Subject: Re:
    greg> Auditing Feature in Kerberos

    >> Hi,

    greg> Good morning to everyone.

    >> I think auth_time + principal_name can be used to link the TGT
    >> and service ticket issued by TGS. The same information can be
    >> used for auditing. Is this fine or is there a better way to
    >> link the TGT and service ticket issued by TGS?

    greg> Place a hook in the AS_REQ/TGS_REQ routines.  Define an
    greg> ad_type to hold a serial number which gets incremented for
    greg> each AS_REQ and returned in the TGT.  Look for the serial
    greg> number in the TGT when processing the TGS_REQ.

You could do this.
Why would you want to?
I believe that auth_time+principal_name is sufficient.

More information about the krbdev mailing list