1*7f2fe78bSCy Schubert.. _auth_indicator: 2*7f2fe78bSCy Schubert 3*7f2fe78bSCy SchubertAuthentication indicators 4*7f2fe78bSCy Schubert========================= 5*7f2fe78bSCy Schubert 6*7f2fe78bSCy SchubertAs of release 1.14, the KDC can be configured to annotate tickets if 7*7f2fe78bSCy Schubertthe client authenticated using a stronger preauthentication mechanism 8*7f2fe78bSCy Schubertsuch as :ref:`PKINIT <pkinit>` or :ref:`OTP <otp_preauth>`. These 9*7f2fe78bSCy Schubertannotations are called "authentication indicators." Service 10*7f2fe78bSCy Schubertprincipals can be configured to require particular authentication 11*7f2fe78bSCy Schubertindicators in order to authenticate to that service. An 12*7f2fe78bSCy Schubertauthentication indicator value can be any string chosen by the KDC 13*7f2fe78bSCy Schubertadministrator; there are no pre-set values. 14*7f2fe78bSCy Schubert 15*7f2fe78bSCy SchubertTo use authentication indicators with PKINIT or OTP, first configure 16*7f2fe78bSCy Schubertthe KDC to include an indicator when that preauthentication mechanism 17*7f2fe78bSCy Schubertis used. For PKINIT, use the **pkinit_indicator** variable in 18*7f2fe78bSCy Schubert:ref:`kdc.conf(5)`. For OTP, use the **indicator** variable in the 19*7f2fe78bSCy Schuberttoken type definition, or specify the indicators in the **otp** user 20*7f2fe78bSCy Schubertstring as described in :ref:`otp_preauth`. 21*7f2fe78bSCy Schubert 22*7f2fe78bSCy SchubertTo require an indicator to be present in order to authenticate to a 23*7f2fe78bSCy Schubertservice principal, set the **require_auth** string attribute on the 24*7f2fe78bSCy Schubertprincipal to the indicator value to be required. If you wish to allow 25*7f2fe78bSCy Schubertone of several indicators to be accepted, you can specify multiple 26*7f2fe78bSCy Schubertindicator values separated by spaces. 27*7f2fe78bSCy Schubert 28*7f2fe78bSCy SchubertFor example, a realm could be configured to set the authentication 29*7f2fe78bSCy Schubertindicator value "strong" when PKINIT is used to authenticate, using a 30*7f2fe78bSCy Schubertsetting in the :ref:`kdc_realms` subsection:: 31*7f2fe78bSCy Schubert 32*7f2fe78bSCy Schubert pkinit_indicator = strong 33*7f2fe78bSCy Schubert 34*7f2fe78bSCy SchubertA service principal could be configured to require the "strong" 35*7f2fe78bSCy Schubertauthentication indicator value:: 36*7f2fe78bSCy Schubert 37*7f2fe78bSCy Schubert $ kadmin setstr host/high.value.server require_auth strong 38*7f2fe78bSCy Schubert Password for user/admin@KRBTEST.COM: 39*7f2fe78bSCy Schubert 40*7f2fe78bSCy SchubertA user who authenticates with PKINIT would be able to obtain a ticket 41*7f2fe78bSCy Schubertfor the service principal:: 42*7f2fe78bSCy Schubert 43*7f2fe78bSCy Schubert $ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user 44*7f2fe78bSCy Schubert $ kvno host/high.value.server 45*7f2fe78bSCy Schubert host/high.value.server@KRBTEST.COM: kvno = 1 46*7f2fe78bSCy Schubert 47*7f2fe78bSCy Schubertbut a user who authenticates with a password would not:: 48*7f2fe78bSCy Schubert 49*7f2fe78bSCy Schubert $ kinit user 50*7f2fe78bSCy Schubert Password for user@KRBTEST.COM: 51*7f2fe78bSCy Schubert $ kvno host/high.value.server 52*7f2fe78bSCy Schubert kvno: KDC policy rejects request while getting credentials for 53*7f2fe78bSCy Schubert host/high.value.server@KRBTEST.COM 54*7f2fe78bSCy Schubert 55*7f2fe78bSCy SchubertGSSAPI server applications can inspect authentication indicators 56*7f2fe78bSCy Schubertthrough the :ref:`auth-indicators <gssapi_authind_attr>` name 57*7f2fe78bSCy Schubertattribute. 58