1.. _auth_indicator: 2 3Authentication indicators 4========================= 5 6As of release 1.14, the KDC can be configured to annotate tickets if 7the client authenticated using a stronger preauthentication mechanism 8such as :ref:`PKINIT <pkinit>` or :ref:`OTP <otp_preauth>`. These 9annotations are called "authentication indicators." Service 10principals can be configured to require particular authentication 11indicators in order to authenticate to that service. An 12authentication indicator value can be any string chosen by the KDC 13administrator; there are no pre-set values. 14 15To use authentication indicators with PKINIT or OTP, first configure 16the KDC to include an indicator when that preauthentication mechanism 17is used. For PKINIT, use the **pkinit_indicator** variable in 18:ref:`kdc.conf(5)`. For OTP, use the **indicator** variable in the 19token type definition, or specify the indicators in the **otp** user 20string as described in :ref:`otp_preauth`. 21 22To require an indicator to be present in order to authenticate to a 23service principal, set the **require_auth** string attribute on the 24principal to the indicator value to be required. If you wish to allow 25one of several indicators to be accepted, you can specify multiple 26indicator values separated by spaces. 27 28For example, a realm could be configured to set the authentication 29indicator value "strong" when PKINIT is used to authenticate, using a 30setting in the :ref:`kdc_realms` subsection:: 31 32 pkinit_indicator = strong 33 34A service principal could be configured to require the "strong" 35authentication indicator value:: 36 37 $ kadmin setstr host/high.value.server require_auth strong 38 Password for user/admin@KRBTEST.COM: 39 40A user who authenticates with PKINIT would be able to obtain a ticket 41for the service principal:: 42 43 $ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user 44 $ kvno host/high.value.server 45 host/high.value.server@KRBTEST.COM: kvno = 1 46 47but a user who authenticates with a password would not:: 48 49 $ kinit user 50 Password for user@KRBTEST.COM: 51 $ kvno host/high.value.server 52 kvno: KDC policy rejects request while getting credentials for 53 host/high.value.server@KRBTEST.COM 54 55GSSAPI server applications can inspect authentication indicators 56through the :ref:`auth-indicators <gssapi_authind_attr>` name 57attribute. 58