source-git / krb5

Clone
Source Code
GIT

Files

c8 c8s master
  1.   c8
  2.   doc
  3.   html
  4.   admin
  5.   auth_indicator.html
Blob Blame History Raw 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Authentication indicators &#8212; MIT Kerberos Documentation</title>
    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../',
        VERSION:     '1.18.2',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true,
        SOURCELINK_SUFFIX: '.txt'
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <link rel="author" title="About these documents" href="../about.html" />
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="copyright" title="Copyright" href="../copyright.html" />
    <link rel="next" title="Administration programs" href="admin_commands/index.html" />
    <link rel="prev" title="HTTPS proxy configuration" href="https.html" /> 
  </head>
  <body>
    <div class="header-wrapper">
        <div class="header">
            
            
            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
            
            <div class="rel">
                
        <a href="../index.html" title="Full Table of Contents"
            accesskey="C">Contents</a> |
        <a href="https.html" title="HTTPS proxy configuration"
            accesskey="P">previous</a> |
        <a href="admin_commands/index.html" title="Administration programs"
            accesskey="N">next</a> |
        <a href="../genindex.html" title="General Index"
            accesskey="I">index</a> |
        <a href="../search.html" title="Enter search criteria"
            accesskey="S">Search</a> |
    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Authentication indicators">feedback</a>
            </div>
        </div>
    </div>

    <div class="content-wrapper">
      <div class="content">
        <div class="document">
            
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <div class="section" id="authentication-indicators">
<span id="auth-indicator"></span><h1>Authentication indicators<a class="headerlink" href="#authentication-indicators" title="Permalink to this headline">¶</a></h1>
<p>As of release 1.14, the KDC can be configured to annotate tickets if
the client authenticated using a stronger preauthentication mechanism
such as <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT</span></a> or <a class="reference internal" href="otp.html#otp-preauth"><span class="std std-ref">OTP</span></a>.  These
annotations are called “authentication indicators.”  Service
principals can be configured to require particular authentication
indicators in order to authenticate to that service.  An
authentication indicator value can be any string chosen by the KDC
administrator; there are no pre-set values.</p>
<p>To use authentication indicators with PKINIT or OTP, first configure
the KDC to include an indicator when that preauthentication mechanism
is used.  For PKINIT, use the <strong>pkinit_indicator</strong> variable in
<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.  For OTP, use the <strong>indicator</strong> variable in the
token type definition, or specify the indicators in the <strong>otp</strong> user
string as described in <a class="reference internal" href="otp.html#otp-preauth"><span class="std std-ref">OTP Preauthentication</span></a>.</p>
<p>To require an indicator to be present in order to authenticate to a
service principal, set the <strong>require_auth</strong> string attribute on the
principal to the indicator value to be required.  If you wish to allow
one of several indicators to be accepted, you can specify multiple
indicator values separated by spaces.</p>
<p>For example, a realm could be configured to set the authentication
indicator value “strong” when PKINIT is used to authenticate, using a
setting in the <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[realms]</span></a> subsection:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">pkinit_indicator</span> <span class="o">=</span> <span class="n">strong</span>
</pre></div>
</div>
<p>A service principal could be configured to require the “strong”
authentication indicator value:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>$ kadmin setstr host/high.value.server require_auth strong
Password for user/admin@KRBTEST.COM:
</pre></div>
</div>
<p>A user who authenticates with PKINIT would be able to obtain a ticket
for the service principal:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>$ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user
$ kvno host/high.value.server
host/high.value.server@KRBTEST.COM: kvno = 1
</pre></div>
</div>
<p>but a user who authenticates with a password would not:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>$ kinit user
Password for user@KRBTEST.COM:
$ kvno host/high.value.server
kvno: KDC policy rejects request while getting credentials for
  host/high.value.server@KRBTEST.COM
</pre></div>
</div>
<p>GSSAPI server applications can inspect authentication indicators
through the <a class="reference internal" href="../appdev/gssapi.html#gssapi-authind-attr"><span class="std std-ref">auth-indicators</span></a> name
attribute.</p>
</div>


          </div>
        </div>
      </div>
        </div>
        <div class="sidebar">
    <h2>On this page</h2>
    <ul>
<li><a class="reference internal" href="#">Authentication indicators</a></li>
</ul>

    <br/>
    <h2>Table of contents</h2>
    <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li>
<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li>
<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Authentication indicators</a></li>
<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
</ul>

    <br/>
    <h4><a href="../index.html">Full Table of Contents</a></h4>
    <h4>Search</h4>
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" size="18" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
        </div>
        <div class="clearer"></div>
      </div>
    </div>

    <div class="footer-wrapper">
        <div class="footer" >
            <div class="right" ><i>Release: 1.18.2</i><br />
                &copy; <a href="../copyright.html">Copyright</a> 1985-2020, MIT.
            </div>
            <div class="left">
                
        <a href="../index.html" title="Full Table of Contents"
            >Contents</a> |
        <a href="https.html" title="HTTPS proxy configuration"
            >previous</a> |
        <a href="admin_commands/index.html" title="Administration programs"
            >next</a> |
        <a href="../genindex.html" title="General Index"
            >index</a> |
        <a href="../search.html" title="Enter search criteria"
            >Search</a> |
    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Authentication indicators">feedback</a>
            </div>
        </div>
    </div>

  </body>
</html>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation