Administering the Kerberos Server

Manual Administration Using kadmin

 

Require Initial Authentication Attribute

 

The Require Initial Authentication attribute specifies if the server

 

is allowed to issue service tickets to a service principal on behalf of a user

 

principal using an existing TGT.

 

The Require Initial Authentication attribute applies only to service

 

principals. If you set this attribute, user principals must reauthenticate

 

to the Kerberos server before the server issues a service ticket for that

 

service. For example, the change password service requires a principal to

 

enter a password to receive a ticket for the change password service

 

before changing the password. If you set this attribute, the server may

 

issue a service ticket based on the existing TGT of the user principal.

 

In Principal Information>Edit>Edit Administrative Permissions,

NOTE

 

if you select the Require Initial Authentication attribute, the Allow

 

as Service Attribute is automatically selected.

 

Do not enable this setting for user principal accounts. This attribute is

 

 

applicable to selected service principals.

 

To modify the type of parameter attr for the principal admin and to set

 

the Require Initial Authentication attribute, type kadmin at the

 

HP-UX prompt and specify the mod command, the principal name, the

 

attr parameter type, and the attribute.

 

Following is a sample output of the Require Initial Authentication

 

attribute:

 

Command: mod

 

Name of Principal to Modify: admin

 

Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui

 

t) :attr

 

Attribute (or quit): {tgtnotgt}

 

Principal modified.

 

The notgt command in kadmin is equivalent to selecting the Require

 

Initial Authentication in the tgt command in kadmin is equivalent

 

to clearing the Require Initial Authentication checkbox on the

 

Principal Information window>Attributes tab.

Chapter 8

219

Page 219
Image 219
HP UX Kerberos Data Security Software manual Require Initial Authentication Attribute