8

Is it possible to query my (MIT) Kerberos KDC to return a list of principals who have been issued TGTs that are currently valid?

My use case is that I would like to find out which users are currently logged in on any machine in a networked environment by querying only the KDC machine.

Joseph R.
  • 38,849
  • 7
  • 107
  • 143
  • My first guess is not because I don't think it gets notified on a `kdestroy`-type event so they may have considered it a lost cause. I don't have a running Kerberos server but you may check `kadmin.log` for ticket issuances. If they're in there then it should just be a matter of `grep`'ing them out to form a list. – Bratchley Jul 29 '14 at 02:39
  • @JoelDavis That's a very good point. For simplicity's sake, let's say I'm willing to allow false positives generated by `kdestroy`ed tickets. I don't like parsing a log file (I think you meant `kdc.log`, no?) for the information; I think it should be available from the server somehow. – Joseph R. Jul 29 '14 at 02:44
  • Well my point with the above is that these complications may have caused the maintainer of whichever project responsible for your Kerberos) to not pursue offering this feature since it couldn't be provided reliable. I can definitely see them logging the event for audit's sake, though. Parsing log files may end up being the only way to get it. `grep` isn't that difficult. – Bratchley Jul 29 '14 at 12:35

1 Answers1

1

No, the MIT KDC does not keep ticket state as to which previously generated and dispensed tickets are still valid or now expired.

jblaine
  • 340
  • 2
  • 4