`kerberos` Provider

The kerberos provider provides USDT probes for tracing the Kerberos protocol.

This provider is under development and is not yet available.

Top

Probes

The probes are modeled after the Kerberos message types described in RFC4120. The probes are split between message creation/consumption and sending/receiving. Depending on how an application/library uses Kerberos, the Kerberos library may send/receive the message or leave the message transport up to the application/library.

The kerberos probes are described in the table below.

`kerberos` Probes

Probe	Description
`krb_ap_rep-make`	Probe that fires whenever a KRB_AP_REP message is created
`krb_ap_rep-read`	Probe that fires whenever a KRB_AP_REP message is read
`krb_ap_req-make`	Probe that fires whenever a KRB_AP_REQ message is created
`krb_ap_req-read`	Probe that fires whenever a KRB_AP_REQ message is read
`krb_cred-make`	Probe that fires whenever a KRB_CRED message is created
`krb_cred-read`	Probe that fires whenever a KRB_CRED message is read
`krb_error-make`	Probe that fires whenever a KRB_ERROR message is created
`krb_error-read`	Probe that fires whenever a KRB_ERROR message is read
`krb_kdc_rep-make`	Probe that fires whenever a KRB_KDC_REP message is created
`krb_kdc_rep-read`	Probe that fires whenever a KRB_KDC_REP message is read
`krb_kdc_req-make`	Probe that fires whenever a KRB_KDC_REQ message is created
`krb_kdc_req-read`	Probe that fires whenever a KRB_KDC_REQ message is read
`krb_priv-make`	Probe that fires whenever a KRB_PRIV message is created
`krb_priv-read`	Probe that fires whenever a KRB_PRIV message is read
`krb_safe-make`	Probe that fires whenever KRB_SAFE message is created
`krb_safe-read`	Probe that fires whenever KRB_SAFE message is read

`krb_message-recv`	Probe that fires whenever a Kerberos message is received
`krb_message-send`	Probe that fires whenever a Kerberos message is sent

Top

Arguments

The argument types for the kerberos probes are listed in the table below. The arguments are described in the following section.

`kerberos` Probe Arguments

Probe	`args[0]`	`args[1]`	`args[2]`	`args[3]`
`krb_ap_rep-make`	`krbinfo_t *`	`kaprepinfo_t *`
`krb_ap_rep-read`	`krbinfo_t *`	`kaprepinfo_t *`
`krb_ap_req-make`	`krbinfo_t *`	`kapreqinfo_t *`	`kticketinfo_t *`	`kauthenticatorinfo_t *`
`krb_ap_req-read`	`krbinfo_t *`	`kapreqinfo_t *`	`kticketinfo_t *`	`kauthenticatorinfo_t *`
`krb_cred-make`	`krbinfo_t *`	`kcredinfo_t *`
`krb_cred-read`	`krbinfo_t *`	`kcredinfo_t *`
`krb_error-make`	`krbinfo_t *`	`kerrorinfo_t *`
`krb_error-read`	`krbinfo_t *`	`kerrorinfo_t *`
`krb_kdc_rep-make`	`krbinfo_t *`	`kdcrepinfo_t *`	`kticketinfo_t *`
`krb_kdc_rep-read`	`krbinfo_t *`	`kdcrepinfo_t *`	`kticketinfo_t *`
`krb_kdc_req-make`	`krbinfo_t *`	`kdcreqinfo_t *`
`krb_kdc_req-read`	`krbinfo_t *`	`kdcreqinfo_t *`
`krb_priv-make`	`krbinfo_t *`	`kprivinfo_t *`
`krb_priv-read`	`krbinfo_t *`	`kprivinfo_t *`
`krb_safe-make`	`krbinfo_t *`	`ksafeinfo_t *`
`krb_safe-read`	`krbinfo_t *`	`ksafeinfo_t *`

`krb_message-recv`	`krbinfo_t *`	`kconninfo_t *`
`krb_message-send`	`krbinfo_t *`	`kconninfo_t *`

Top

`krbinfo_t` structure

The krbinfo_t structure holds generic kerberos message information.

typedef struct krbinfo {
    uint8_t krb_version;
    string krb_message_type;
    uint64_t krb_message_id;
    uint32_t krb_message_length;
    uintptr_t krb_message; 
} krbinfo_t;

`krbinfo_t` Members

`krb_version`	Protocol version number. Currently always 5.
`krb_message_type`	Message type.
`krb_message_id`	Message identifier. There is no concept of a message identifier in the Kerberos protocol. The identifier is specific to the Kerberos provider and meant only to link messages between the make/read and send/recv probes.
`krb_message_length`	Message length in bytes.
`krb_message`	Raw ASN.1 encoded message.

Top

`kaprepinfo_t` structure

The kaprepinfo_t structure holds KRB_AP_REP message information.

typedef struct kaprepinfo {
    uint32_t kaprep_enc_part_kvno;
    string kaprep_enc_part_etype;
    uint32_t kaprep_enc_ctime;
    uint32_t kaprep_enc_cusec;
    string kaprep_enc_subkey_type;
    uint32_t kaprep_enc_subkey_length;
    uintptr_t kaprep_enc_subkey_value;
    uint32_t kaprep_enc_seq_number;
} kaprepinfo_t;

`kaprepinfo_t` Members

`kaprep_enc_part_kvno`	Key version number.
`kaprep_enc_part_etype`	Encryption type of encrypted AP reply.
`kaprep_enc_ctime`	Client time in seconds.
`kaprep_enc_cusec`	Client time, microseconds portion.
`kaprep_enc_subkey_type`	Encryption type of sub-key.
`kaprep_enc_subkey_length`	Length of sub-key.
`kaprep_enc_subkey_value`	Sub-key.
`kaprep_enc_seq_number`	Sequence number.

Top

`kapreqinfo_t` structure

The kapreqinfo_t structure holds KRB_AP_REQ message information.

typedef struct kapreqinfo {
    string kapreq_ap_options;
    uint32_t kapreq_authenticator_kvno;
    string kapreq_authenticator_etype;
} kapreqinfo_t;

`kapreqinfo_t` Members

`kapreq_ap_options`	Options (use-session-key,... ).
`kapreq_authenticator_kvno`	Key version number.
`kapreq_authenticator_etype`	Encryption type of authenticator.

Top

`kticketinfo_t` structure

The kticketinfo_t structure holds ticket information.

typedef struct kticketinfo_t {
    string kticket_server;
    uint32_t kticket_enc_part_kvno;
    string kticket_enc_part_etype;
    string kticket_enc_flags;
    string kticket_enc_key_type;
    uint32_t kticket_enc_key_length;
    uintptr_t kticket_enc_key_value;
    string kticket_enc_client;
    string kticket_enc_transited;
    string kticket_enc_transited_type;
    uint32_t kticket_enc_authtime;
    uint32_t kticket_enc_starttime;
    uint32_t kticket_enc_endtime;
    uint32_t kticket_enc_renew_till;
    string kticket_enc_addresses;
    string kticket_enc_authorization_data;
} kticketinfo_t;

`kticketinfo_t` Members

`kticket_server`	Service principal identifier.
`kticket_enc_part_kvno`	Key version number.
`kticket_enc_part_etype`	Encryption type of encrypted ticket.
`kticket_enc_flags`	Ticket flags (forwardable, ...).
`kticket_enc_key_type`	Key type (des3-cbc-sha1, ...).
`kticket_enc_key_length`	Key length.
`kticket_enc_key_value`	Key data.
`kticket_enc_client`	Client principal identifier.
`kticket_enc_transited`	List of transited Kerberos realms.
`kticket_enc_transited_type`	Encoding type.
`kticket_enc_authtime`	Time of initial authentication in seconds.
`kticket_enc_starttime`	Ticket start time in seconds.
`kticket_enc_endtime`	Ticket end time in seconds.
`kticket_enc_renew_till`	Ticket renewal time in seconds.
`kticket_enc_addresses`	Addresses associated with ticket.
`kticket_enc_authorization_data`	List of top-level authorization types.

Top

`kauthenticator_t` structure

The kauthenticator_t structure holds authenticator information.

typedef struct kauthenticatorinfo {
    string kauth_client;
    string kauth_cksum_type;
    uint32_t kauth_cksum_length;
    uintptr_t kauth_cksum_value;
    uint32_t kauth_cusec;
    uint32_t kauth_ctime;
    string kauth_subkey_type;
    uint32_t kauth_subkey_length;
    uintptr_t kauth_subkey_value;
    uint32_t kauth_seq_number;
    string kauth_authorization_data;
} kauthenticatorinfo_t;

`kauthenticatorinfo_t` Members

`kauth_client`	Client principal identifier.
`kauth_cksum_type`	Type of checksum (des-cbc, ...).
`kauth_cksum_length`	Length of checksum.
`kauth_cksum_value`	Raw checksum data.
`kauth_cusec`	Client time, microseconds.
`kauth_ctime`	Client time in seconds.
`kauth_subkey_type`	Sub-key type (des3-cbc-sha1, ...).
`kauth_subkey_length`	Sub-key length.
`kauth_subkey_value`	Sub-key data.
`kauth_seq_number`	Sequence number.
`kauth_authorization_data`	Top-level authorization types (AD-IF-RELEVANT, ... ).

Top

`kcredinfo_t` structure

The kcredinfo_t structure holds KRB_CRED message information.

typedef struct kcredinfo {
    uint32_t kcred_enc_part_kvno;
    string kcred_enc_part_etype;
    uint32_t kcred_tickets;
    uint32_t kcred_enc_nonce;
    uint32_t kcred_enc_timestamp;
    uint32_t kcred_enc_usec;
    string kcred_enc_s_address;
    string kcred_enc_r_address;
} kcredinfo_t;

`kcredinfo_t` Members

`kcred_enc_part_kvno`	Key version number.
`kcred_enc_part_etype`	Encryption type of encrypted message.
`kcred_tickets`	Number of tickets.
`kcred_enc_nonce`	Nonce for replay detection.
`kcred_enc_timestamp`	Time of sender in seconds.
`kcred_enc_usec`	Time of sender, microseconds.
`kcred_enc_s_address`	Sender's address.
`kcred_enc_r_address`	Recipient's address.

Top

`kerrorinfo_t` structure

The kerrorinfo_t structure holds KRB_ERROR message information.

typedef struct kerrorinfo {
    uint32_t kerror_ctime;
    uint32_t kerror_cusec;
    uint32_t kerror_stime;
    uint32_t kerror_susec;
    string kerror_error_code;
    string kerror_client;
    string kerror_server;
    string kerror_e_text;
    string kerror_e_data;
} kerrorinfo_t;

`kerrorinfo_t` Members

`kerror_ctime`	Client time in seconds.
`kerror_cusec`	Client time, microseconds.
`kerror_stime`	Server time in seconds.
`kerror_susec`	Server time, microseconds.
`kerror_error_code`	Error code (KRB_AP_ERR_SKEW, ...).
`kerror_client`	Client principal identifier.
`kerror_server`	Server principal identifier.
`kerror_e_text`	Additional error text.
`kerror_e_data`	Additional error data.

Top

`kdcrepinfo_t` structure

The kdcrepinfo_t structure holds KRB_KDC_REQ message information.

typedef struct kdcrepinfo {
    string kdcrep_padata_types;
    string kdcrep_client;
    uint32_t kdcrep_enc_part_kvno;
    string kdcrep_enc_part_etype;
    string kdcrep_enc_key_type;
    uint32_t kdcrep_enc_key_length;
    uintptr_t kdcrep_enc_key_value;
    string kdcrep_enc_last_req;
    uint32_t kdcrep_enc_nonce;
    uint32_t kdcrep_enc_key_expiration;
    string kdcrep_enc_flags;
    uint32_t kdcrep_enc_authtime;
    uint32_t kdcrep_enc_starttime;
    uint32_t kdcrep_enc_endtime;
    uint32_t kdcrep_enc_renew_till;
    string kdcrep_enc_server;
    string kdcrep_enc_caddr;
} kdcrepinfo_t;

`kdcrepinfo_t` Members

`kdcrep_padata_types`	List of pre-authentication types.
`kdcrep_client`	Client principal identifier.
`kdcrep_enc_part_kvno`	Key version number.
`kdcrep_enc_part_etype`	Encryption type of encrypted KDC reply.
`kdcrep_enc_key_type`	Key type (des3-cbc-sha1, ...).
`kdcrep_enc_key_length`	Key length.
`kdcrep_enc_key_value`	Key data.
`kdcrep_enc_last_req`	Times of last request of principal.
`kdcrep_enc_nonce`	Nonce for replay detection.
`kdcrep_enc_key_expiration`	Expiration time of client's key in seconds.
`kdcrep_enc_flags`	Ticket flags.
`kdcrep_enc_authtime`	Time of authentication of ticket in seconds.
`kdcrep_enc_starttime`	Ticket start time in seconds.
`kdcrep_enc_endtime`	Ticket end time in seconds.
`kdcrep_enc_renew_till`	Ticket renewal time in seconds.
`kdcrep_enc_server`	Server principal identifier.
`kdcrep_enc_caddr`	Zero or more client addresses.

Top

`kdcreqinfo_t` structure

The kdcreqinfo_t structure holds KRB_KDC_REQ message information.

typedef struct kdcreqinfo {
    string kdcreq_padata_types;
    string kdcreq_kdc_options;
    string kdcreq_client;
    string kdcreq_server;
    string kdcreq_from;
    uint32_t kdcreq_till;
    uint32_t kdcreq_rtime;
    uint32_t kdcreq_nonce;
    string kdcreq_etype;
    string kdcreq_addresses;
    string kdcreq_authorization_data;
    uint32_t kdcreq_num_additional_tickets;
} kdcreqinfo_t;

`kdcreqinfo_t` Members

`kdcreq_padata_types`	List of pre-authentication types.
`kdcreq_kdc_options`	Requested ticket flags.
`kdcreq_client`	Client principal identifier.
`kdcreq_server`	Server principal identifier.
`kdcreq_from`	Requested start time in seconds.
`kdcreq_till`	Requested end time in seconds.
`kdcreq_rtime`	Requested renewal time in seconds.
`kdcreq_nonce`	Nonce for replay detection.
`kdcreq_etype`	Preferred encryption types.
`kdcreq_addresses`	List of requested ticket addresses.
`kdcreq_authorization_data`	List of top-level auth types.
`kdcreq_num_additional_tickets`	Number of additional tickets.

Top

`kprivinfo_t` structure

The kprivinfo_t structure holds KRB_PRIV message information.

typedef struct kprivinfo {
    uint32_t kpriv_enc_part_kvno;
    string kpriv_enc_part_etype;
    uintptr_t kpriv_enc_user_data;
    uint32_t kpriv_enc_timestamp;
    uint32_t kpriv_enc_usec;
    uint32_t kpriv_enc_seq_number;
    string kpriv_enc_s_address;
    string kpriv_enc_r_address;
} kprivinfo_t;

`kprivinfo_t` Members

`kpriv_enc_part_kvno`	Key version number.
`kpriv_enc_part_etype`	Encryption type of encrypted message.
`kpriv_enc_user_data`	Raw application specific data.
`kpriv_enc_timestamp`	Time of sender in seconds.
`kpriv_enc_usec`	Time of sender, microseconds.
`kpriv_enc_seq_number`	Sequence number.
`kpriv_enc_s_address`	Sender's address.
`kpriv_enc_r_address`	Recipient's address.

Top

`ksafeinfo_t` structure

The ksafeinfo_t structure holds KRB_SAFE message information.

typedef struct ksafeinfo {
    uintptr_t ksafe_user_data;
    uint32_t ksafe_timestamp;
    uint32_t ksafe_usec;
    uint32_t ksafe_seq_number;
    string ksafe_s_address;
    string ksafe_r_address;
    string ksafe_cksum_type;
    uint32_t ksafe_cksum_length;
    uintptr_t ksafe_cksum_value;
} ksafeinfo_t;

`ksafeinfo_t` Members

`ksafe_user_data`	Raw application specific data.
`ksafe_timestamp`	Time of sender in seconds.
`ksafe_usec`	Time of sender, microseconds.
`ksafe_seq_number`	Sequence number.
`ksafe_s_address`	Sender's address.
`ksafe_r_address`	Recipient's address.
`ksafe_cksum_type`	Checksum type (des-cbc, ...).
`ksafe_cksum_length`	Length of checksum.
`ksafe_cksum_value`	Raw checksum data.

Top

`kconninfo_t` structure

The kconninfo_t structure holds connection information.

typedef struct kconninfo {
    string kconn_remote;
    string kconn_local;
    string kconn_protocol;
    string kconn_type;
    uint16_t kconn_localport;
    uint16_t kconn_remoteport;
} kconninfo_t;

`kconninfo_t` Members

`kconn_remote`	Remote host address.
`kconn_local`	Local host address.
`kconn_protocol`	Protocol (ipv4, ipv6).
`kconn_type`	Transport type (udp, tcp).
`kconn_localport`	Local port.
`kconn_remoteport`	Remote port.

Top

Examples

Some simple examples of kerberos provider usage follow.

dump a Kerberos error message

# Dump a Kerberos error message
# dtrace -n 'krb_error-make {
    printf("\n{");
    printf("\n\tctime = %Y", (uint64_t)(args[1]->kerror_ctime * 1000000000));
    printf("\n\tcusec = %d", args[1]->kerror_cusec);
    printf("\n\tstime = %Y", (uint64_t)(args[1]->kerror_stime * 1000000000));
    printf("\n\tsusec = %d", args[1]->kerror_susec);
    printf("\n\terror_code = %s", args[1]->kerror_error_code);
    printf("\n\tclient = %s", args[1]->kerror_client);
    printf("\n\tserver = %s", args[1]->kerror_server);
    printf("\n\te_text = %s", args[1]->kerror_e_text);
    printf("\n\te_data = %s", "");
    printf("\n}");
}'
dtrace: description 'krb_error-make ' matched 1 probe
CPU     ID                    FUNCTION:NAME
  0  78307     krb5_mk_error:krb_error-make 
{
	ctime = 2010 May 10 12:11:20
	cusec = 0
	stime = 2010 May 10 12:11:20
	susec = 319090
	error_code = KDC_ERR_C_PRINCIPAL_UNKNOWN(6)
	client = testuser@D.COM
	server = krbtgt/D.COM@D.COM
	e_text = CLIENT_NOT_FOUND
	e_data = 
}

Show the most requested tickets a KDC is asked for

# dtrace -n 'kerberos$target:::krb_kdc_req-read { @[args[1]->kdcreq_server] = count(); }' -p $(pgrep krb5kdc)
^C

  nfs/four.acme.com@D.COM                                           2
  krbtgt/D.COM@D.COM                                                3
  host/four.acme.com@D.COM                                          4

Display the service ticket required to access an ssh server

# LD_PRELOAD_32=/usr/lib/gss/mech_krb5.so.1 dtrace -q -n '
kerberos$target:::krb_kdc_req-make {
    printf("kdcreq_server: %s",args[1]->kdcreq_server);
}' -c "ssh local@four.acme.com" -o dtrace.out
Last login: Thu Apr 29 15:27:44 2010
Sun Microsystems Inc.   SunOS 5.11      snv_137 March 2010
$ ^D
# cat dtrace.out 
kdcreq_server: host/four.acme.com@D.COM

Display KDC address and port when getting an initial TGT when the KDC is unavailable.

# LD_BIND_NOW=1 dtrace -q -n '
kerberos$target:::krb_message-send {
    printf("%s:%d\n",args[1]->kconn_remote, args[1]->kconn_remoteport)
}
' -c "kinit local4"

10.10.10.14:88
10.10.10.14:750
10.10.10.14:88
10.10.10.14:750
10.10.10.14:88
10.10.10.14:750
kinit(v5): Cannot contact any KDC for realm 'D.COM' while getting initial credentials

Top

`kerberos` Stability

The kerberos provider uses DTrace's stability mechanism to describe its stabilities, as shown in the following table. For more information about the stability mechanism, see Chapter 39, Stability.

Element	Name stability	Data stability	Dependency class
Provider	Evolving	Evolving	Common
Module	Private	Private	Unknown
Function	Private	Private	Unknown
Name	Evolving	Evolving	Common
Arguments	Unstable	Unstable	Common

kerberos Provider

kerberos Provider

Probes

kerberos Probes

Arguments

kerberos Probe Arguments

krbinfo_t structure

krbinfo_t Members

kaprepinfo_t structure

kaprepinfo_t Members

kapreqinfo_t structure

kapreqinfo_t Members

kticketinfo_t structure

kticketinfo_t Members

kauthenticator_t structure

kauthenticatorinfo_t Members

kcredinfo_t structure

kcredinfo_t Members

kerrorinfo_t structure

kerrorinfo_t Members

kdcrepinfo_t structure

kdcrepinfo_t Members

kdcreqinfo_t structure

kdcreqinfo_t Members

kprivinfo_t structure

kprivinfo_t Members

ksafeinfo_t structure

ksafeinfo_t Members

kconninfo_t structure

kconninfo_t Members