Administering the Kerberos Server
Manual Administration Using kadmin
Require Preauthentication AttributeThe Require Preauthentication attribute determines whether a principal is required to preauthenticate when requesting a TGT. Preauthentication implies that the client logon program attaches known encrypted data to a ticket request, providing additional security when the TGT is presented to access a secured service.
The Require Preauthentication attribute applies to user and service principals. If this attribute is set for a user principal, the user must run the logon software that performs authentication using the preauthentication protocol. If this attribute is set for a service principal, the service accepts TGTs only from user principals that obtained a TGT using a preauthentication protocol.
NOTE | Client applications require preauthentication by default; however, a |
| client can override this setting. |
|
|
To modify the type of parameter attr for the principal admin and to set the Require Preauthentication attribute, type kadmin at the
Following is a sample output of the Require Preauthentication attribute:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :attr
Attribute (or quit): {preauthnopreauth}
Principal modified.
Require Password Change AttributeThe Require Password Change attribute determines whether a principal must change the password of the user during the next authentication attempt. You must change the password when this attribute is set for a principal.
216 | Chapter 8 |