Suchen
SupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 49. Managing Kerberos flags

download PDF

Kerberos flags are crucial for specifying authentication mechanisms, authorization levels, and security protocols within a Kerberos-enabled network environment. With Kerberos flags, you can ensure secure access control, protect against unauthorized access, and improve interoperability between different Kerberos implementations.

49.1. Kerberos flags for services and hosts

You can use various Kerberos flags to define specific aspects of the Kerberos ticket behavior. You can add these flags to service and host Kerberos principals.

Principals in Identity Management (IdM) accept the following Kerberos flags:

  • OK_AS_DELEGATE

    Use this flag to specify Kerberos tickets trusted for delegation.

    Active directory (AD) clients check the OK_AS_DELEGATE flag on the Kerberos ticket to determine whether a user credentials can be forwarded or delegated to a specific server. AD forwards the ticket-granting ticket (TGT) only to services or hosts with OK_AS_DELEGATE configured. With this flag, system security services daemon (SSSD) can add the AD user TGT to the default Kerberos credentials cache on the IdM client machine.

  • REQUIRES_PRE_AUTH

    Use this flag to specify that only pre-authenticated tickets are allowed to authenticate to a principal.

    With the REQUIRES_PRE_AUTH flag set, the key distribution center (KDC) requires additional authentication: the KDC issues the TGT for the principal with REQUIRES_PRE_AUTH only if the TGT has been pre-authenticated.

    You can clear REQUIRES_PRE_AUTH to disable pre-authentication for selected services or hosts. This lowers the load on the KDC, however slightly increases the possibility of a brute-force attack on a long-term key to succeed.

  • OK_TO_AUTH_AS_DELEGATE

    Use the OK_TO_AUTH_AS_DELEGATE flag to specify that the service is allowed to obtain a Kerberos ticket on behalf of a user. Note, that for obtaining other tickets on behalf of the user, the service needs the OK_AS_DELEGATE flag and a corresponding policy decision allowed on the key distribution center side.

49.2. Setting Kerberos flags from the Web UI

You can set a Kerberos flags by using the IdM Web UI. The following procedure sets the Kerberos flag to a principal.

Procedure

  1. Select Identity Services in the menu.

    List of services

  2. Click on the service to which you want to add the flags.

  3. Check the option that you want to set:

    • To set the OK_AS_DELEGATE flag, check Trusted for delegation.
    • To set the REQUIRES_PRE_AUTH flag, check Requires pre-authentication.
    • To set the OK_TO_AUTH_AS_DELEGATE flag, check Trusted to authenticate as user.

49.3. Setting and removing Kerberos flags from the command line

You can add or remove a Kerberos flag by using the command line. The ipa service-mod command uses the following command options for the flags:

  • --ok-as-delegate for OK_AS_DELEGATE
  • --requires-pre-auth for REQUIRES_PRE_AUTH
  • --ok-to-auth-as-delegate for OK_TO_AUTH_AS_DELEGATE

By setting an option value to 1, you enable a flag for a principle. By setting an option value to 0, you disable the flag.

The following procedure enables and disables the OK_AS_DELEGATE flag for the service/ipa.example.com@example.com principal.

Procedure

  • To add the OK_AS_DELEGATE flag for the service/ipa.example.com@example.com principle, run: 

    $ ipa service-mod service/ipa.example.com@EXAMPLE.COM --ok-as-delegate=1

  • To remove the OK_AS_DELEGATE flag from the service/ipa.example.com@example.com principle, run: 

    $ ipa service-mod service/ipa.example.com@EXAMPLE.COM --ok-as-delegate=0

49.4. Displaying Kerberos flags from the command line

You can display Kerberos flag setting by using the command line. The following procedure displays the OK_AS_DELEGATE flag for the demo/ipa.example.com@EXAMPLE.COM principal.

Procedure

To find out if OK_AS_DELEGATE is set for a principal:

  1. Run the kvno utility: 

    $ kvno demo/ipa.example.com@EXAMPLE.COM

  2. To display the flag setting, run the klist -f command. The 0 character means that the OK_AS_DELEGATE flag is disabled: 

    $ klist -f
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@EXAMPLE.COM

Valid starting		Expires			Service principal
02/19/2024 09:59:02	02/20/2024 08:21:33	demo/ipa/example.com@EXAMPLE.COM
    Flags: FATO
Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.