[32225] in Kerberos
Snapshot of monthly KDC traffic for stanford.edu
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Apr 1 17:32:48 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
Date: Thu, 01 Apr 2010 14:32:42 -0700
Message-ID: <87mxxmluyt.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I just finished the metrics scripts that generate this information and
thought a snapshot of what one site sees over the course of a month may be
of general interest.
Kerberos authentications from 2010-03-01 to 2010-03-31
Initial authentications: 141,593,443
Service tickets: 47,641,042
Total tickets issued: 189,234,485
Unique users in 2010-03: 45,499
Unique services in 2010-03: 1,108
Breakdown of initial authentications:
Type Count Percent
-------- ----------- -------
Users 87,062,015 61.5%
CGI 13,150,066 9.3%
Services 41,381,362 29.2%
-------- ----------- -------
TOTAL: 141,593,443
Breakdown of service tickets:
Type Count Percent
-------- ---------- -------
Users 20,883,723 43.8%
CGI 14,888,789 31.3%
Services 11,868,530 24.9%
-------- ---------- -------
TOTAL: 47,641,042
The terminology has been managementized. "Initial authentications" are
AS-REQs and "Service tickets" are TGS-REQs, currently including the
TGS-REQ for ticket renewals. In the type breakdown, users are the
principals that mean someone was entering a password, and services is
everything else. Unique users only counts the users with passwords, not
the other stuff. "Unique services," in a minor conflation of terminology,
is the number of unique principals for which we issued service tickets in
the course of the month.
I'm intrigued by the *huge* margin between the number of initial
authentications and the number of service tickets issued. This appears to
be due to a couple of factors: large numbers of desktops without keytabs
that use Kerberos for local authentication, screen lock, and so forth; and
the habit of some implementations, apparently, of spraying the KDCs with
AS-REQs when authenticating rather than sending only one.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos