[39393] in Kerberos
Re: query about a possible "KRB5KEYLOGFILE" feature, to log session
daemon@ATHENA.MIT.EDU (Richard E. Silverman)
Sun Mar 17 23:45:35 2024
Date: Sun, 17 Mar 2024 23:44:28 -0400 (EDT)
From: "Richard E. Silverman" <res@qoxp.net>
To: MIT Kerberos <kerberos@mit.edu>
In-Reply-To: <08dd4568-38a3-0137-35c7-4ea43647dad6@qoxp.net>
Message-ID: <076090ac-97d7-866d-fe6f-d13d156d892a@qoxp.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
> 2. A client may not have access to the session keys in its ccache, e.g. if
> it’s using gssproxy.
Oops, sorry -- that’s a little off the mark. In that case of course session-key logging won’t help the client directly, since it doesn’t perform those operations or call libkrb5 itself at all; the gssproxy daemon does. In that case we’d apply KRB5KEYLOGFILE to the daemon. But there is a second reason nonetheless: it’s easier for debugging. A long-lived client process under observation could have its ccache flushed by ticket renewal or similar management, losing the needed session keys (and a mechanism like gssproxy could in fact have several ccaches it manages) -- whereas setting KRB5KEYLOGFILE would reliably capture them all without extra work.
--
Richard
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
