[31550] in CVS-changelog-for-Kerberos-V5
krb5 commit: Add auth indicators to AS-REQ audit state
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Mon Jun 22 16:34:17 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260622203410.87455105589@krbdev.mit.edu>
Date: Mon, 22 Jun 2026 16:34:10 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/749efe5ce06ff819616a5eed822f1bb06e87321b
commit 749efe5ce06ff819616a5eed822f1bb06e87321b
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed Apr 1 21:54:29 2026 +0300
Add auth indicators to AS-REQ audit state
Add an auth_indicators field to krb5_audit_state so that audit modules
can log which authentication indicators were present in the issued
ticket. Bump the audit plugin minor version from 1 to 2 to signal the
new field.
Update the simple audit module's JSON encoder to emit the indicators
as a JSON array under the key "auth_indicators" in AS-REQ records.
[ghudson@mit.edu: edited commit message and comments; made minor style
changes]
ticket: 9222 (new)
src/include/krb5/audit_plugin.h | 9 ++++++++-
src/kdc/do_as_req.c | 1 +
src/kdc/kdc_audit.c | 2 +-
src/plugins/audit/j_dict.h | 1 +
src/plugins/audit/kdc_j_encode.c | 42 ++++++++++++++++++++++++++++++++++++++++
5 files changed, 53 insertions(+), 2 deletions(-)
diff --git a/src/include/krb5/audit_plugin.h b/src/include/krb5/audit_plugin.h
index 3315d77d9..3a30cb8ab 100644
--- a/src/include/krb5/audit_plugin.h
+++ b/src/include/krb5/audit_plugin.h
@@ -38,7 +38,7 @@
* the KDC to produce log output or audit records in any desired form.
*
* The audit interface has a single supported major version, which is 1. Major
- * version 1 has a current minor version of 1. Audit modules should define a
+ * version 1 has a current minor version of 2. Audit modules should define a
* function named audit_<modulename>_initvt, matching the signature:
*
* krb5_error_code
@@ -92,6 +92,10 @@ typedef struct _krb5_audit_state {
krb5_data *cl_realm; /**< referrals: remote client's realm */
krb5_principal s4u2self_user; /**< impersonated user */
int violation; /**< local or protocol policy problem */
+ /* Minor version 1 ends here. */
+
+ krb5_data **auth_indicators;
+ /* Minor version 2 ends here. */
} krb5_audit_state;
/** An abstract type for audit module data. */
@@ -154,6 +158,9 @@ typedef krb5_error_code
* - If available, the information about the encryption types of the short- and
* long-term keys, non-local client's referral realm, KDC status, the TGT
* and its ticket ID
+ * - If available (minor version >= 2), the authentication indicators set on
+ * the issued ticket in @a state->auth_indicators (NULL-terminated array of
+ * krb5_data pointers, each containing an indicator string)
*
* @note Optional.
*
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 4dbb6ae67..48b54b8ff 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -342,6 +342,7 @@ egress:
au_state->status = state->status;
au_state->reply = &state->reply;
+ au_state->auth_indicators = state->auth_indicators;
kau_as_req(context, (errcode || state->preauth_err) ? FALSE : TRUE,
au_state);
kau_free_kdc_req(au_state);
diff --git a/src/kdc/kdc_audit.c b/src/kdc/kdc_audit.c
index 9ce8263d2..f502d3989 100644
--- a/src/kdc/kdc_audit.c
+++ b/src/kdc/kdc_audit.c
@@ -95,7 +95,7 @@ load_audit_modules(krb5_context context)
hdl = k5alloc(sizeof(*hdl), &ret);
if (hdl == NULL)
goto cleanup;
- ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&hdl->vt);
+ ret = (*mod)(context, 1, 2, (krb5_plugin_vtable)&hdl->vt);
if (ret) {
free(hdl);
hdl = NULL;
diff --git a/src/plugins/audit/j_dict.h b/src/plugins/audit/j_dict.h
index fd93ceb04..f2aac7eca 100644
--- a/src/plugins/audit/j_dict.h
+++ b/src/plugins/audit/j_dict.h
@@ -80,6 +80,7 @@
#define AU_AUTHTIME "authtime"
#define AU_TR_CONTENTS "tr_contents"
#define AU_CADDRS "caddrs"
+#define AU_AUTH_INDICATORS "auth_indicators"
/* S4U and U2U */
#define AU_VIOLATION "violation" /* policy or protocol restrictions */
#define AU_REQ_S4U2S_USER "s4u2self_user"
diff --git a/src/plugins/audit/kdc_j_encode.c b/src/plugins/audit/kdc_j_encode.c
index 31f308067..6fa6854ec 100755
--- a/src/plugins/audit/kdc_j_encode.c
+++ b/src/plugins/audit/kdc_j_encode.c
@@ -63,6 +63,9 @@ rep_to_value(krb5_kdc_rep *rep, const krb5_boolean ev_success,
k5_json_object obj);
static krb5_error_code
tkt_to_value(krb5_ticket *tkt, k5_json_object obj, const char *key);
+static krb5_error_code
+indicators_to_value(krb5_data **indicators, k5_json_object obj,
+ const char *key);
static char *map_patype(krb5_preauthtype pa_type);
#define NULL_STATE "state is NULL"
@@ -172,6 +175,10 @@ kau_j_as_req(const krb5_boolean ev_success, krb5_audit_state *state,
ret = rep_to_value(state->reply, ev_success, obj);
if (ret == ENOMEM)
goto error;
+ /* Authentication indicators on the issued ticket. */
+ ret = indicators_to_value(state->auth_indicators, obj, AU_AUTH_INDICATORS);
+ if (ret)
+ goto error;
ret = k5_json_encode(obj, jout);
error:
@@ -897,6 +904,41 @@ error:
return ret;
}
+/* Convert an array of auth indicator strings into a JSON array property of
+ * obj. Do not add a property if no indicators are present. */
+static krb5_error_code
+indicators_to_value(krb5_data **indicators, k5_json_object obj,
+ const char *key)
+{
+ krb5_error_code ret;
+ k5_json_array arr = NULL;
+ k5_json_string str;
+ krb5_data **ind;
+
+ if (indicators == NULL || *indicators == NULL)
+ return 0;
+
+ ret = k5_json_array_create(&arr);
+ if (ret)
+ return ENOMEM;
+
+ for (ind = indicators; *ind != NULL; ind++) {
+ ret = k5_json_string_create_len((*ind)->data, (*ind)->length, &str);
+ if (ret)
+ goto cleanup;
+ ret = k5_json_array_add(arr, str);
+ k5_json_release(str);
+ if (ret)
+ goto cleanup;
+ }
+
+ ret = k5_json_object_set(obj, key, arr);
+
+cleanup:
+ k5_json_release(arr);
+ return ret;
+}
+
/* Map preauth numeric type to the naming string. */
struct _patype_str {
krb5_preauthtype id;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
