在 Oracle® Solaris 11.2 中管理 Kerberos 和其他验证服务

退出打印视图

更新时间: 2014 年 9 月
 
 

用于 Kerberos 的 DTrace 探测器

本附录介绍 DTrace 探测器和参数结构。有关其使用示例,请参见对 Kerberos 服务使用 DTrace

Kerberos 中的 DTrace 探测器

探测器指的是 DTrace 可将请求绑定到的程序位置或活动,以便执行一组操作。探测器由提供者定义并实现。提供者指的是内核可装入的模块,可使其探测器跟踪数据。

这些探测器用于用户静态定义跟踪 (User Statically Defined Tracing, USDT)。USDT 探测器设计为在用户范围内检查 Kerberos 协议。未提供用于静态定义跟踪的内核探测器。

可以创建脚本,以便相应的 DTrace 探测器记录您想要的信息(例如,栈跟踪、时间戳或函数的参数)。当触发探测器时,DTrace 会从探测器中收集数据并报告回给用户。如果没有为探测器指定任何操作,DTrace 将记录每次触发探测器的时间及其在哪个 CPU 触发。

Kerberos DTrace 探测器是仿照 Kerberos 消息类型建立的,如 RFC4120: The Kerberos Network Authentication Service (V5)(RFC4120:Kerberos 网络验证服务 (V5))中所述。这些探测器可供 libkrb5/mech_krb5 的使用者使用,包括那些通过 libgss 使用 mech_krb5 的应用程序。探测器的功能分为消息创建和使用以及发送和接收。有关 libgss 的更多信息,请参见 libgss(3LIB) 手册页。

要使用探测器,请指定 kerberos 提供者、探测器的名称(例如 krb_message-recv)和参数。有关示例,请参见对 Kerberos 服务使用 DTrace

Kerberos DTrace 探测器的定义

用于 KRB_AP_REP 的探测器:

kerberos$pid:::krb_ap_rep-make
kerberos$pid:::krb_ap_rep-read

args[0]        krbinfo_t *
args[1]        kaprepinfo_t *

用于 KRB_AP_REQ 的探测器:

kerberos$pid:::krb_ap_req-make
kerberos$pid:::krb_ap_req-read

args[0]        krbinfo_t *
args[1]        kapreqinfo_t *
args[2]        kticketinfo_t *
args[3]        kauthenticatorinfo_t *

用于 KRB_KDC_REP 的探测器:

kerberos$pid:::krb_kdc_rep-make
kerberos$pid:::krb_kdc_rep-read

args[0]        krbinfo_t *
args[1]        kdcrepinfo_t *
args[2]        kticketinfo_t *

用于 KRB_KDC_REQ 的探测器:

kerberos$pid:::krb_kdc_req-make
kerberos$pid:::krb_kdc_req-read

args[0]        krbinfo_t *
args[1]        kdcreqinfo_t *

用于 KRB_CRED 的探测器:

kerberos$pid:::krb_cred-make
kerberos$pid:::krb_cred-read

args[0]        krbinfo_t *
args[1]        kcredinfo_t *

用于 KRB_ERROR 的探测器:

kerberos$pid:::krb_error-make
kerberos$pid:::krb_error-read

args[0]        krbinfo_t *
args[1]        kerrorinfo_t *

用于 KRB_PRIV 的探测器:

kerberos$pid:::krb_priv-make
kerberos$pid:::krb_priv-read

args[0]        krbinfo_t *
args[1]        kprivinfo_t *

用于 KRB_SAFE 的探测器:

kerberos$pid:::krb_safe-make
kerberos$pid:::krb_safe-read

args[0]        krbinfo_t *
args[1]        ksafeinfo_t *

用于发送和接收消息的探测器

kerberos$pid:::krb_message-recv
kerberos$pid:::krb_message-send

args[0]        krbinfo_t *
args[1]        kconninfo_t *

Kerberos 中的 DTrace 参数结构

在某些情况下,部分参数的值可以为 0 或为空。在设计上,Kerberos 参数结构基本符合 RFC4120: The Kerberos Network Authentication Service (V5)(RFC4120:Kerberos 网络验证服务 (V5))中所述的要求。

DTrace 中的 Kerberos 消息信息

typedef struct krbinfo {
uint8_t krb_version;                /* protocol version number (5) */
string krb_message_type;            /* Message type (AS_REQ(10), ...) */
uint64_t krb_message_id;            /* message identifier */
uint32_t krb_message_length;        /* message length */
uintptr_t krb_message;              /* raw ASN.1 encoded message */
} krbinfo_t;

注 -  Kerberos 协议不具有消息标识符。krb_message_id 标识符特定于 Kerberos 提供者,并用于在 make/read 探测器与 send/recv 探测器之间链接消息。

DTrace 中的 Kerberos 连接信息

typedef struct kconninfo {
string kconn_remote;                /* remote host address */
string kconn_local;                 /* local host address */
uint16_t kconn_localport;           /* local port */
uint16_t kconn_remoteport;          /* remote port */
string kconn_protocol;              /* protocol (ipv4, ipv6) */
string kconn_type;                  /* transport type (udp, tcp) */
} kconninfo_t;

DTrace 中的 Kerberos 验证者信息

typedef struct kauthenticatorinfo {
string kauth_client;                /* client principal identifier */
string kauth_cksum_type;            /* type of checksum (des-cbc, ...) */
uint32_t kauth_cksum_length;        /* length of checksum */
uintptr_t kauth_cksum_value;        /* raw checksum data */
uint32_t kauth_cusec;               /* client time, microseconds */
uint32_t kauth_ctime;               /* client time in seconds */
string kauth_subkey_type;           /* sub-key type (des3-cbc-sha1, ...) */
uint32_t kauth_subkey_length;       /* sub-key length */
uintptr_t kauth_subkey_value;       /* sub-key data */
uint32_t kauth_seq_number;          /* sequence number */
string kauth_authorization_data;    /* top-level authorization types
(AD-IF-RELEVANT, ... ) */
} kauthenticatorinfo_t;

typedef struct kticketinfo_t {
string kticket_server;              /* service principal identifier */
uint32_t kticket_enc_part_kvno;     /* key version number */
string kticket_enc_part_etype;      /* enc type of encrypted ticket */
string kticket_enc_flags;           /* ticket flags (forwardable, ...) */
string kticket_enc_key_type;        /* key type (des3-cbc-sha1, ...) */
uint32_t kticket_enc_key_length;    /* key length */
uintptr_t kticket_enc_key_value;    /* key data */
string kticket_enc_client;          /* client principal identifier */
string kticket_enc_transited;       /* list of transited Kerberos realms */
string kticket_enc_transited_type;  /* encoding type */
uint32_t kticket_enc_authtime;      /* time of initial authentication */
uint32_t kticket_enc_starttime;     /* ticket start time in seconds */
uint32_t kticket_enc_endtime;       /* ticket end time in seconds */
uint32_t kticket_enc_renew_till;    /* ticket renewal time in seconds */
string kticket_enc_addresses;       /* addresses associated with ticket */
string kticket_enc_authorization_data;  /* list of top-level auth types */
} kticketinfo_t;

typedef struct kdcreqinfo {
string kdcreq_padata_types;         /* list of pre-auth types */
string kdcreq_kdc_options;          /* requested ticket flags */
string kdcreq_client;               /* client principal identifier */
string kdcreq_server;               /* server principal identifier */
uint32_t kdcreq_from;               /* requested start time in seconds */
uint32_t kdcreq_till;               /* requested end time in seconds */
uint32_t kdcreq_rtime;              /* requested renewal time in seconds */
uint32_t kdcreq_nonce;              /* nonce for replay detection */
string kdcreq_etype;                /* preferred encryption types */
string kdcreq_addresses;            /* list of requested ticket addresses */
string kdcreq_authorization_data;   /* list of top-level auth types */
uint32_t kdcreq_num_additional_tickets; /* number of additional tickets */
} kdcreqinfo_t;

typedef struct kdcrepinfo {
string kdcrep_padata_types;         /* list of pre-auth types */
string kdcrep_client;               /* client principal identifier */
uint32_t kdcrep_enc_part_kvno;      /* key version number */
string kdcrep_enc_part_etype;       /* enc type of encrypted KDC reply */
string kdcrep_enc_key_type;         /* key type (des3-cbc-sha1, ...) */
uint32_t kdcrep_enc_key_length;     /* key length */
uintptr_t kdcrep_enc_key_value;     /* key data */
string kdcrep_enc_last_req;         /* times of last request of principal */
uint32_t kdcrep_enc_nonce;          /* nonce for replay detection */
uint32_t kdcrep_enc_key_expiration; /* expiration time of client's key */
string kdcrep_enc_flags;            /* ticket flags */
uint32_t kdcrep_enc_authtime;       /* time of authentication of ticket */
uint32_t kdcrep_enc_starttime;      /* ticket start time in seconds */
uint32_t kdcrep_enc_endtime;        /* ticket end time in seconds */
uint32_t kdcrep_enc_renew_till;       /* ticket renewal time in seconds*/
string kdcrep_enc_server;           /* server principal identifier */
string kdcrep_enc_caddr;            /* zero or more client addresses */
} kdcrepinfo_t;

typedef struct kapreqinfo {
string kapreq_ap_options;           /* options (use-session-key,... ) */
uint32_t kapreq_authenticator_kvno; /* key version number */
string kapreq_authenticator_etype;  /* enc type of authenticator */
} kapreqinfo_t;

typedef struct kaprepinfo {
uint32_t kaprep_enc_part_kvno;      /* key version number */
string kaprep_enc_part_etype;       /* enc type of encrypted AP reply */
uint32_t kaprep_enc_ctime;          /* client time in seconds */
uint32_t kaprep_enc_cusec;          /* client time, microseconds portion */
string kaprep_enc_subkey_type;      /* sub-key type */
uint32_t kaprep_enc_subkey_length;  /* sub-key length */
uintptr_t kaprep_enc_subkey_value;  /* sub-key data */
uint32_t kaprep_enc_seq_number;     /* sequence number */
} kaprepinfo_t;

typedef struct kerrorinfo {
uint32_t kerror_ctime;              /* client time in seconds */
uint32_t kerror_cusec;              /* client time, microseconds */
uint32_t kerror_stime;              /* server time in seconds */
uint32_t kerror_susec;              /* server time, microseconds */
string kerror_error_code;           /* error code (KRB_AP_ERR_SKEW, ...) */
string kerror_client;               /* client principal identifier */
string kerror_server;               /* server principal identifier */
string kerror_e_text;               /* additional error text */
string kerror_e_data;               /* additional error data */
} kerrorinfo_t;

typedef struct ksafeinfo {
uintptr_t ksafe_user_data;          /* raw application specific data */
uint32_t ksafe_timestamp;           /* time of sender in seconds */
uint32_t ksafe_usec;                /* time of sender, microseconds */
uint32_t ksafe_seq_number;          /* sequence number */
string ksafe_s_address;             /* sender's address */
string ksafe_r_address;             /* recipient's address */
string ksafe_cksum_type;            /* checksum type (des-cbc, ...) */
uint32_t ksafe_cksum_length;        /* length of checksum */
uintptr_t ksafe_cksum_value;        /* raw checksum data */
} ksafeinfo_t;

typedef struct kprivinfo {
uint32_t kpriv_enc_part_kvno;       /* key version number */
string kpriv_enc_part_etype;        /* enc type of encrypted message */
uintptr_t kpriv_enc_user_data;      /* raw application specific data */
uint32_t kpriv_enc_timestamp;       /* time of sender in seconds */
uint32_t kpriv_enc_usec;            /* time of sender, microseconds */
uint32_t kpriv_enc_seq_number;      /* sequence number */
string kpriv_enc_s_address;         /* sender's address */
string kpriv_enc_r_address;         /* recipient's address */
} kprivinfo_t;

typedef struct kcredinfo {
uint32_t kcred_enc_part_kvno;       /* key version number */
string kcred_enc_part_etype;        /* enc type of encrypted message */
uint32_t kcred_tickets;             /* number of tickets */
uint32_t kcred_enc_nonce;           /* nonce for replay detection */
uint32_t kcred_enc_timestamp;       /* time of sender in seconds */
uint32_t kcred_enc_usec;            /* time of sender, microseconds */
string kcred_enc_s_address;         /* sender's address */
string kcred_enc_r_address;         /* recipient's address */
} kcredinfo_t;