Administering the Kerberos Server

Manual Administration Using kadmin

Require Preauthentication Attribute

The Require Preauthentication attribute determines whether a principal is required to preauthenticate when requesting a TGT. Preauthentication implies that the client logon program attaches known encrypted data to a ticket request, providing additional security when the TGT is presented to access a secured service.

The Require Preauthentication attribute applies to user and service principals. If this attribute is set for a user principal, the user must run the logon software that performs authentication using the preauthentication protocol. If this attribute is set for a service principal, the service accepts TGTs only from user principals that obtained a TGT using a preauthentication protocol.

NOTE

Client applications require preauthentication by default; however, a

 

client can override this setting.

 

 

To modify the type of parameter attr for the principal admin and to set the Require Preauthentication attribute, type kadmin at the HP-UX prompt and specify the mod command, the principal name, the attr parameter type, and the attribute.

Following is a sample output of the Require Preauthentication attribute:

Command: mod

Name of Principal to Modify: admin

Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :attr

Attribute (or quit): {preauthnopreauth}

Principal modified.

Require Password Change Attribute

The Require Password Change attribute determines whether a principal must change the password of the user during the next authentication attempt. You must change the password when this attribute is set for a principal.

216

Chapter 8

Page 216
Image 216
HP UX Kerberos Data Security Software manual Require Preauthentication Attribute, Require Password Change Attribute