1 2<!DOCTYPE html> 3 4<html> 5 <head> 6 <meta charset="utf-8" /> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> 8 9 <title>Authentication indicators — MIT Kerberos Documentation</title> 10 <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> 11 <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> 12 <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> 13 <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> 14 <script src="../_static/jquery.js"></script> 15 <script src="../_static/underscore.js"></script> 16 <script src="../_static/doctools.js"></script> 17 <link rel="author" title="About these documents" href="../about.html" /> 18 <link rel="index" title="Index" href="../genindex.html" /> 19 <link rel="search" title="Search" href="../search.html" /> 20 <link rel="copyright" title="Copyright" href="../copyright.html" /> 21 <link rel="next" title="Administration programs" href="admin_commands/index.html" /> 22 <link rel="prev" title="HTTPS proxy configuration" href="https.html" /> 23 </head><body> 24 <div class="header-wrapper"> 25 <div class="header"> 26 27 28 <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> 29 30 <div class="rel"> 31 32 <a href="../index.html" title="Full Table of Contents" 33 accesskey="C">Contents</a> | 34 <a href="https.html" title="HTTPS proxy configuration" 35 accesskey="P">previous</a> | 36 <a href="admin_commands/index.html" title="Administration programs" 37 accesskey="N">next</a> | 38 <a href="../genindex.html" title="General Index" 39 accesskey="I">index</a> | 40 <a href="../search.html" title="Enter search criteria" 41 accesskey="S">Search</a> | 42 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Authentication indicators">feedback</a> 43 </div> 44 </div> 45 </div> 46 47 <div class="content-wrapper"> 48 <div class="content"> 49 <div class="document"> 50 51 <div class="documentwrapper"> 52 <div class="bodywrapper"> 53 <div class="body" role="main"> 54 55 <section id="authentication-indicators"> 56<span id="auth-indicator"></span><h1>Authentication indicators<a class="headerlink" href="#authentication-indicators" title="Permalink to this headline">¶</a></h1> 57<p>As of release 1.14, the KDC can be configured to annotate tickets if 58the client authenticated using a stronger preauthentication mechanism 59such as <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT</span></a> or <a class="reference internal" href="otp.html#otp-preauth"><span class="std std-ref">OTP</span></a>. These 60annotations are called “authentication indicators.” Service 61principals can be configured to require particular authentication 62indicators in order to authenticate to that service. An 63authentication indicator value can be any string chosen by the KDC 64administrator; there are no pre-set values.</p> 65<p>To use authentication indicators with PKINIT or OTP, first configure 66the KDC to include an indicator when that preauthentication mechanism 67is used. For PKINIT, use the <strong>pkinit_indicator</strong> variable in 68<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. For OTP, use the <strong>indicator</strong> variable in the 69token type definition, or specify the indicators in the <strong>otp</strong> user 70string as described in <a class="reference internal" href="otp.html#otp-preauth"><span class="std std-ref">OTP Preauthentication</span></a>.</p> 71<p>To require an indicator to be present in order to authenticate to a 72service principal, set the <strong>require_auth</strong> string attribute on the 73principal to the indicator value to be required. If you wish to allow 74one of several indicators to be accepted, you can specify multiple 75indicator values separated by spaces.</p> 76<p>For example, a realm could be configured to set the authentication 77indicator value “strong” when PKINIT is used to authenticate, using a 78setting in the <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[realms]</span></a> subsection:</p> 79<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkinit_indicator</span> <span class="o">=</span> <span class="n">strong</span> 80</pre></div> 81</div> 82<p>A service principal could be configured to require the “strong” 83authentication indicator value:</p> 84<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kadmin setstr host/high.value.server require_auth strong 85Password for user/admin@KRBTEST.COM: 86</pre></div> 87</div> 88<p>A user who authenticates with PKINIT would be able to obtain a ticket 89for the service principal:</p> 90<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user 91$ kvno host/high.value.server 92host/high.value.server@KRBTEST.COM: kvno = 1 93</pre></div> 94</div> 95<p>but a user who authenticates with a password would not:</p> 96<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kinit user 97Password for user@KRBTEST.COM: 98$ kvno host/high.value.server 99kvno: KDC policy rejects request while getting credentials for 100 host/high.value.server@KRBTEST.COM 101</pre></div> 102</div> 103<p>GSSAPI server applications can inspect authentication indicators 104through the <a class="reference internal" href="../appdev/gssapi.html#gssapi-authind-attr"><span class="std std-ref">auth-indicators</span></a> name 105attribute.</p> 106</section> 107 108 109 <div class="clearer"></div> 110 </div> 111 </div> 112 </div> 113 </div> 114 <div class="sidebar"> 115 116 <h2>On this page</h2> 117 <ul> 118<li><a class="reference internal" href="#">Authentication indicators</a></li> 119</ul> 120 121 <br/> 122 <h2>Table of contents</h2> 123 <ul class="current"> 124<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> 125<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> 126<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> 127<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> 128<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> 129<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> 130<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> 131<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> 132<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> 133<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> 134<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> 135<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> 136<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> 137<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> 138<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> 139<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> 140<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> 141<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> 142<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> 143<li class="toctree-l2 current"><a class="current reference internal" href="#">Authentication indicators</a></li> 144<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> 145<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> 146<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> 147<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> 148<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> 149<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> 150</ul> 151</li> 152<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> 153<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> 154<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> 155<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> 156<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> 157<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> 158<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> 159<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> 160<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> 161</ul> 162 163 <br/> 164 <h4><a href="../index.html">Full Table of Contents</a></h4> 165 <h4>Search</h4> 166 <form class="search" action="../search.html" method="get"> 167 <input type="text" name="q" size="18" /> 168 <input type="submit" value="Go" /> 169 <input type="hidden" name="check_keywords" value="yes" /> 170 <input type="hidden" name="area" value="default" /> 171 </form> 172 173 </div> 174 <div class="clearer"></div> 175 </div> 176 </div> 177 178 <div class="footer-wrapper"> 179 <div class="footer" > 180 <div class="right" ><i>Release: 1.21.3</i><br /> 181 © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. 182 </div> 183 <div class="left"> 184 185 <a href="../index.html" title="Full Table of Contents" 186 >Contents</a> | 187 <a href="https.html" title="HTTPS proxy configuration" 188 >previous</a> | 189 <a href="admin_commands/index.html" title="Administration programs" 190 >next</a> | 191 <a href="../genindex.html" title="General Index" 192 >index</a> | 193 <a href="../search.html" title="Enter search criteria" 194 >Search</a> | 195 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Authentication indicators">feedback</a> 196 </div> 197 </div> 198 </div> 199 200 </body> 201</html>