Auditing Feature in Kerberos greg at
Thu Mar 23 17:42:09 EST 2006

On Mar 23,  9:35am, Sam Hartman wrote:
} Subject: Re: Auditing Feature in Kerberos

Hi Sam, thanks for the note.

> >>>>> "greg" == greg  <greg at> writes:
>     greg> On Mar 22, 6:33am, "K.G. Gokulavasan" wrote: } Subject: Re:
>     greg> Auditing Feature in Kerberos
>     >> Hi,
>     greg> Good morning to everyone.
>     >> I think auth_time + principal_name can be used to link the TGT
>     >> and service ticket issued by TGS. The same information can be
>     >> used for auditing. Is this fine or is there a better way to
>     >> link the TGT and service ticket issued by TGS?
>     greg> Place a hook in the AS_REQ/TGS_REQ routines.  Define an
>     greg> ad_type to hold a serial number which gets incremented for
>     greg> each AS_REQ and returned in the TGT.  Look for the serial
>     greg> number in the TGT when processing the TGS_REQ.

> You could do this.
> Why would you want to?

Accuracy of implementation perhaps.

> I believe that auth_time+principal_name is sufficient.

It may be but it does fail a direct correllation requirement.  If the
IP address is implemented in the payload the ad_data strategy also
allows pinning the audit trail to the KDC which issued the ticket.

It all comes down to whether or not it is sufficient to answer the
audit question with 'we think it might be' or 'it is'.

I have found that people concerned with audit trails can be
surprisingly pedantic in their assurance requirements.


}-- End of excerpt from Sam Hartman

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at
"There's nothing in the middle of the road 'cept yellow lines and
squashed armadillos."
                                -- Mike Hightower

More information about the krbdev mailing list