| commit | 06f8985c55fcd23e3efe0017ed2480c5b3c4524f | |
| author | Luke Howard <lukeh@padl.com> | |
| Tue, 4 Jan 2022 22:42:03 +0000 (5 09:42 +1100) | ||
| committer | Luke Howard <lukeh@padl.com> | |
| Tue, 4 Jan 2022 22:42:03 +0000 (5 09:42 +1100) | ||
| tree | 4963fdb6aec7db77369d464bb8ceff57655eb22b | treesnapshot (tar.gz zip) |
| parent | 68c4fd65724c9995e49592b07e41bea67b0a77b2 | commitdiff |
hdb: consolidate preauth audit event types
Instead of having distinct preauth success/failure events for different
mechanisms, have a single event; the mechanism can be disambiguated by querying
the HDB_REQUEST_KV_PA_NAME key.
Note: there is still an explicit event for long-term key-based success/failure
in order to help the backend implement lockout.
Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
than in each mechanism. Success is still audited in the mechanism to allow
client pre-authentication success to be noted even if something subsequent
(e.g. encoding a reply, memory allocation) fails. The generic catch-all for
success remains.
Instead of having distinct preauth success/failure events for different
mechanisms, have a single event; the mechanism can be disambiguated by querying
the HDB_REQUEST_KV_PA_NAME key.
Note: there is still an explicit event for long-term key-based success/failure
in order to help the backend implement lockout.
Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
than in each mechanism. Success is still audited in the mechanism to allow
client pre-authentication success to be noted even if something subsequent
(e.g. encoding a reply, memory allocation) fails. The generic catch-all for
success remains.
| kdc/kerberos5.c | diffblobblamehistory | |
| lib/hdb/hdb.h | diffblobblamehistory |