On Feb 19, 2006, at 20:02, Matthew Cocker wrote: > I have finally started to get around to analysing the krb5kdc.logs > from > our production server. Most of it was simple but I can't seem to > find a > marker for a failed login with an incorrect password. I see the > same log > entry for sucessful or unsuccessful logins using kinit?
> Is it even possible to tell from the KDC? If you're not using some sort of preauth system, then no, not directly. In both cases, the KDC sends something encrypted using the user's password; the KDC doesn't know whether the user was able to decrypt it. You could look to see if additional tickets were issued to that user, but there's nothing in the logs tying the additional tickets to the initial ticket request. (In some cases the addresses from which the request was received will be consistent, however, if there's more than one initial ticket request within a few hours, you can't distinguish them, and laptops or dialup systems or other dynamically addressed systems may change addresses over a short enough time span that previously issued TGTs may still be valid.) If you are using preauth, then you should be able to note incorrect preauth information sent, but depending on the preauth system, it may or may not be due to an incorrect password versus other causes. Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
