|From:||"Basch, Richard" <Richard.Basch@gs.com>|
|Date:||Thu, 12 Dec 2013 13:35:01 -0500|
|Subject:||krb5-1.11 & krb5-1.12: incomplete logging|
|CC:||"'email@example.com'" <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org>|
If a user attempts to authenticate with an unknown client or to an unknown service, the service name is not depicted in the Kerberos logs.
This makes anomaly detection harder to perform as well as impede diagnostics.
How to reproduce:
1. For AS_REQ, simply use kinit with an unknown client name (krbtgt/REALM@REALM will not be logged as the service name).
2. For TGS_REQ, simply use kvno to query an unknown service name.
What should have happened:
It should log the attempt for “client for service”, not “client for <unknown server>”
VP, Technology - Critical Infrastructure
30 Hudson St. 24th Floor | Jersey City, NJ 07302
Goldman, Sachs & Co
email@example.com | +1 (917) 343-4071
P Save a tree: Please don't print this mail unless necessary.
The Goldman Sachs Group, Inc. All rights reserved.
See for important risk disclosures, conflicts of interest and other terms and conditions relating to this e-mail and your reliance on information contained in it. This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you.