To test what kind of logging occurs, I simply used my existing installation of Windows Server 2003 R2 and Active Directory, for which the logging options had not been modified from their “out of the box†settings. From there, I cleared the security event logs and then attempted an SSH login to a CentOS 4.3 server that has been configured for AD authentication via Kerberos (through PAM, not directly inside SSH).
After the login, I reviewed the event logs and found a large number of entries for the LDAP bind account (the account that is used to bind to Active Directory to retrieve account information, such as UID number, GID number, login shell, home directory, etc.). These are useless for identifying unique logons to Linux/Unix-based systems. However, there is one event that is useful—an event ID 672 with the following text:
Authentication Ticket Request: User Name: bjones Supplied Realm Name: EXAMPLE.NET User ID: EXAMPLE\bjones Service Name: krbtgt Service ID: EXAMPLE\krbtgt Ticket Options: 0x40800000 Result Code: - Ticket Encryption Type: 0x17 Pre-Authentication Type: 2 Client Address: 172.16.28.111 Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
As you can see, this entry clearly identifies the user that was authenticated as well as the IP address of the host to which the user logged in. Note that the IP address of the workstation from which the user logon originated is not captured here.
OK, that takes care of the typical Linux system. Now, what about Solaris 10? I cleared the security event logs (saving them) and attempted an SSH logon to a Solaris server. As it turns out, Solaris 10 logs two event entries—event ID 672, as above, as well as event ID 673. The text for event ID 673 is as follows:
Service Ticket Request:
User Name: bjones@EXAMPLE.NET
User Domain: EXAMPLE.NET
Service Name: host-solarishost01
Service ID: EXAMPLE\host-solarishost01
Ticket Options: 0x40800000
Ticket Encryption Type: 0x3
Client Address: 172.16.28.112
Failure Code: -
Logon GUID: {3a653f45-928c-1f72-2c59-ca951986ac42}
Transited Services: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
This provides the same sort of information as well as the name of the service ticket that was requested by the host. (Keep in mind, too, that Solaris 10 logged both the event ID 672 and event ID 673, whereas CentOS logged only the event ID 672.)
But what about “native†Kerberos authentication, when a Kerberos ticket is used to authenticate the user? In this case, I tested three different operating systems: CentOS 4.3, Solaris 10, and OpenBSD 3.9. In all three cases an event ID 673, similar to above, was logged. However, this time it was the IP address of my actual workstation—not the IP address of the server—that was included in the event log text.
In all of the tested scenarios, there was information that identified the specific account that was being authenticated. However, depending upon whether PAM was involved, the Windows event logs may or may not capture the actual IP address of the originating workstation. In almost all cases, though, the logs on the Linux, Solaris, or OpenBSD server would capture the IP address of the originating workstation, even if the Windows event logs did not.
Tags: ActiveDirectory, CentOS, Interoperability, Kerberos, LDAP, Linux, Microsoft, Security, Solaris, UNIX, Windows
2 comments
Comments feed for this article
Trackback link
http://blog.scottlowe.org/2006/10/23/event-logging-in-ad-integration-scenarios/trackback/
Friday, December 8, 2006 at 9:55 am
David G
Scott,
Something you may not be aware of that happens with Linux clients - if you enable failure auditing for Account Logon Events, you will get an Event ID 675 Failure Audit preceeding the Event 672. The text of the event will look like this:
Pre-authentication failed:
User Name: adg
User ID: EXAMPLE\adg
Service Name: krbtgt/EXAMPLE.COM
Pre-Authentication Type: 0×0
Failure Code: 0×19
Client Address: 192.168.192.129
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
These errors are logged because the MS Kerberos implementation expects the initial TGT request to contain a ‘preauthentication’ blob which is a time stamp encrypted using the user’s password hash as an encryption key (PA_ENC_TIMESTAMP in Kerberos-speak) - this preauthentication is used to prevent replay attacks. The Linux Kerberos libraries dont send this blob in their initial TGT request. When it receives the TGT without the preauthentication blob, the AD server:
1. Rejects the initial request
2. In the reject response, indicates that Preauthentication is required and hints with a list of acceptable preauthtcation types.
2. Logs the 675 error in the Event log.
On receiving the rejct response, the Linux Kerberos libraries resend the TGT request but this time include the preauthentication blob in the TGT request.
You can disable preauthentication on a per-user basis - in AD Users & Computers, tick the ‘Do not require Kerberos preauthentication’ box in the account properties tab, but it does make the account easier to hack.
The ideal solution would be to patch the Kerberos libraries to offer up a preauthentication blob at the first TGT request but I’ve yet to see any implementations yet - I suspect because this sort of patch could break interop with other Kerberos implementations - you need to declare what type of crypto (RC4, DES-CBC) you are going to use at the outset rather than negotiate between the client & server what type of crypto is acceptable to both.
David G
Friday, December 8, 2006 at 4:21 pm
slowe
David G,
Good information! Yet another way for readers to be able to determine how users are logging in and authenticating on the network. Thanks!
Scott