- Don't log "Request from wrong address (ignoring)".
- Add "wrongaddr=yes" kv to final log message.
- Add request and ticket addresses (up to 3) to final log message.
goto out;
}
+ if (b->addresses)
+ _kdc_audit_addaddrs((kdc_request_t)r, b->addresses, "reqaddrs");
+
/* check for valid set of addresses */
if (!_kdc_check_addresses(r, b->addresses, r->addr)) {
if (r->config->warn_ticket_addresses) {
- kdc_log(context, config, 4, "Request from wrong address (ignoring)");
+ _kdc_audit_addkv((kdc_request_t)r, 0, "wrongaddr", "yes");
} else {
_kdc_set_e_text(r, "Request from wrong address");
ret = KRB5KRB_AP_ERR_BADADDR;
&ap_req_options,
ticket,
KRB5_KU_TGS_REQ_AUTH);
+ if (ticket && (*ticket)->ticket.caddr)
+ _kdc_audit_addaddrs((kdc_request_t)r, (*ticket)->ticket.caddr, "tixaddrs");
if (r->config->warn_ticket_addresses && ret == KRB5KRB_AP_ERR_BADADDR &&
*ticket != NULL) {
- kdc_log(context, config, 4, "Request from wrong address (ignoring)");
+ _kdc_audit_addkv((kdc_request_t)r, 0, "wrongaddr", "yes");
ret = 0;
}
if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) {
if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) {
if (config->check_ticket_addresses) {
ret = KRB5KRB_AP_ERR_BADADDR;
+ _kdc_audit_addkv((kdc_request_t)priv, 0, "wrongaddr", "yes");
kdc_log(context, config, 4, "Request from wrong address");
goto out;
} else if (config->warn_ticket_addresses) {
- kdc_log(context, config, 4, "Request from wrong address (ignoring)");
+ _kdc_audit_addkv((kdc_request_t)priv, 0, "wrongaddr", "yes");
}
}
heim_audit_addkv_timediff((heim_svc_req_desc)r,k, start, end);
}
+/*
+ * Add up to 3 key value pairs to record HostAddresses from request body or
+ * PA-TGS ticket or whatever.
+ */
+void
+_kdc_audit_addaddrs(kdc_request_t r, HostAddresses *a, const char *key)
+{
+ size_t i;
+ char buf[128];
+
+ if (a->len > 3) {
+ char numkey[32];
+
+ if (snprintf(numkey, sizeof(numkey), "num%s", key) >= sizeof(numkey))
+ numkey[31] = '\0';
+ _kdc_audit_addkv(r, 0, numkey, "%llu", (unsigned long long)a->len);
+ }
+
+ for (i = 0; i < 3 && i < a->len; i++) {
+ if (krb5_print_address(&a->val[0], buf, sizeof(buf), NULL) == 0)
+ _kdc_audit_addkv(r, 0, key, "%s", buf);
+ }
+}
+
void
_kdc_audit_trail(kdc_request_t r, krb5_error_code ret)
{
KRB5CCNAME=$cache $gsstoken HTTP@$server | KRB5_KTNAME="$keytab" $gsstoken -r ||
{ echo "Trivial offline CA test failed (gss-token)"; exit 2; }
-grep 'Request from wrong address .ignoring' ${objdir}/messages.log ||
+grep 'REQ.*wrongaddr' ${objdir}/messages.log ||
{ echo "KDC not warning about requests from wrong address"; exit 2; }
echo "Fetching a Negotiate token"