Kerberos' Logging for Gatorlink IDs

Introduction

GatorLink IDs are expected to fill most student authentication needs in the future, including registration and other official university transactions. Therefore, it will be necessary to maintain accounting trails of administrative actions taken on accounts, and authentication events. This document is to serve as a framework for discussion about GatorLink authentication-server logging needs.

The obvious place to log authentication transactions and administrative actions is inside the Kerberos Key Distribution Center (KDC) itself. If Kerberos' native logging is adequate, it can be used unmodified. If not, the KDC is the logical place to add the necessary accounting.

Kerberos maintains two logs by default: the KDC log, krb5kdc.log, and the Kerberos Administration Demon log kadmin.log.

kadmin.log

example:
Jul 10 09:04:01 kerberos1 kadmind[9954](Notice):
Request: kadm5_get_principals, *asr*, success,
client=circa/admin@UFL.EDU, service=kadmin/admin@UFL.EDU,
addr=128.227.212.131

Each kadmin.log record notes:

  1. Date of request
  2. Server receiving request
  3. PID of process receiving request
  4. Record severity
  5. Requested service (Here the retreival of all principals matching a certain pattern)
  6. Arguments to the service request (here the pattern)
  7. request success/failure
  8. The principal making the request
  9. The service granting the request
  10. The address from which the request originated

krb5kdc.log

example:
Jul 11 09:59:18 kerberos1 krb5kdc[9184](info):
AS_REQ 128.227.174.7(88): ISSUE: authtime 868629558,
user/asr@UFL.EDU for krbtgt/UFL.EDU@UFL.EDU

  1. Date of request
  2. Server receiving request
  3. PID of process receiving request
  4. Record severity
  5. Requested service (Here authentication for a service)
  6. IP and port of the requesting machine
  7. Authentication time
  8. Client principal
  9. The service principal

Other kerberos-maintained data

In addition to the logged information, Kerberos maintains the following security data about principals:
  • Last password change
  • Minimum and maximum password lives
  • Who last modified the principal, and when
  • Last authentication success and failure
  • The number of consecutive failed authentication attempts since last success
  • Password policy
These data can be extracted via the kadmin utility.
Allen S. Rout, asr@cis.ufl.edu
Last modified on Tue Jul 15 10:21:56 1997 by Allen S. Rout