Difference between revisions of "MIT Kerberos"
m |
Lostcontrol (talk | contribs) |
||
| Line 21: | Line 21: | ||
{{Failregex}} | {{Failregex}} | ||
| − | The following regular expression matches common authentication | + | The following regular expression matches common authentication failures of MIT's <tt>krb5kdc</tt> when principals are configured with pre-authentication required. The pattern is MIT implementation specific and is not likely to work with Heimdal. |
<pre> | <pre> | ||
Latest revision as of 11:52, 6 November 2011
MIT krb5kdc provided by krb5-kdc-1.4.4-7etch6 (debian)
The following log excerpts include an attempt to authenticate using an invalid principal, followed by an attempt to authenticate using a valid principal with an incorrect password, followed by successful authentication and issue of a ticket granting ticket.
Feb 11 23:48:27 hostname krb5kdc[19386]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.2: CLIENT_NOT_FOUND: nonexistentuser@REALM.LOCAL for krbtgt/REALM.LOCAL@REALM.LOCAL, Client not found in Kerberos database
Feb 11 23:48:58 hostname krb5kdc[19386]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.2: NEEDED_PREAUTH: validuserbadpasswd@REALM.LOCAL for krbtgt/REALM.LOCAL@REALM.LOCAL, Additional pre-authentication required
Feb 11 23:48:58 hostname krb5kdc[19386]: preauth (timestamp) verify failure: Decrypt integrity check failed
Feb 11 23:48:58 hostname krb5kdc[19386]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.2: PREAUTH_FAILED: validuserbadpasswd@REALM.LOCAL for krbtgt/REALM.LOCAL@REALM.LOCAL, Decrypt integrity check failed
Feb 11 23:49:07 hostname krb5kdc[19386]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.2: NEEDED_PREAUTH: validuserokpasswd@REALM.LOCAL for krbtgt/REALM.LOCAL@REALM.LOCAL, Additional pre-authentication required
Feb 11 23:49:07 hostname krb5kdc[19386]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.2: ISSUE: authtime 1234414147, etypes {rep=16 tkt=16 ses=16}, validuserokpasswd@REALM.LOCAL for krbtgt/REALM.LOCAL@REALM.LOCAL
Failregex
The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.
The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.
Please, before editing this section, propose your changes in the discussion page first.
The following regular expression matches common authentication failures of MIT's krb5kdc when principals are configured with pre-authentication required. The pattern is MIT implementation specific and is not likely to work with Heimdal.
failregex = AS_REQ \([\w\s{}]+\) <HOST>: (PREAUTH_FAILED|CLIENT_NOT_FOUND):
