Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 14. Managing Kerberos ticket policies

Kerberos ticket policies in Identity Management (IdM) set restrictions on Kerberos ticket access, duration, and renewal. You can configure Kerberos ticket policies for the Key Distribution Center (KDC) running on your IdM server.

14.1. The role of the IdM KDC
Copiar enlace

Identity Management (IdM) authentication relies on the Kerberos Key Distribution Center (KDC), the trusted authority that issues and validates tickets for all users, services, and hosts in the IdM network.

Each IdM user, service, and host acts as a Kerberos client and is identified by a unique Kerberos principal:

  • For users: identifier@REALM, such as admin@EXAMPLE.COM
  • For services: service/fully-qualified-hostname@REALM, such as http/server.example.com@EXAMPLE.COM
  • For hosts: host/fully-qualified-hostname@REALM, such as host/client.example.com@EXAMPLE.COM

The following image is a simplification of the communication between a Kerberos client, the KDC, and a Kerberized application that the client wants to communicate with.

Kerberos KDC flow of communication
  1. A Kerberos client identifies itself to the KDC by authenticating as a Kerberos principal. For example, an IdM user performs kinit username and provides their password.
  2. The KDC checks for the principal in its database, authenticates the client, and evaluates Kerberos ticket policies to determine whether to grant the request.
  3. The KDC issues the client a ticket-granting ticket (TGT) with a lifecycle and authentication indicators according to the appropriate ticket policy.
  4. With the TGT, the client requests a service ticket from the KDC to communicate with a Kerberized service on a target host.
  5. The KDC checks if the client’s TGT is still valid, and evaluates the service ticket request against ticket policies.
  6. The KDC issues the client a service ticket.
  7. With the service ticket, the client can initiate encrypted communication with the service on the target host.

14.2. IdM Kerberos ticket policy types
Copiar enlace

Learn about Identity Management (IdM) Kerberos ticket policy types to understand how to enforce authentication requirements and control ticket lifecycles across your deployment.

Connection policy

To protect Kerberized services with different levels of security, you can define connection policies to enforce rules based on which pre-authentication mechanism a client used to retrieve a ticket-granting ticket (TGT).

For example, you can require smart card authentication to connect to client1.example.com, and require two-factor authentication to access the testservice application on client2.example.com.

To enforce connection policies, associate authentication indicators with services. Only clients that have the required authentication indicators in their service ticket requests are able to access those services. For more information, see Kerberos authentication indicators.

Ticket lifecycle policy

Each Kerberos ticket has a lifetime and a potential renewal age: you can renew a ticket before it reaches its maximum lifetime, but not after it exceeds its maximum renewal age.

The default global ticket lifetime is one day (86400 seconds) and the default global maximum renewal age is one week (604800 seconds). To adjust these global values, see Configuring the global ticket lifecycle policy.

You can also define your own ticket lifecycle policies:

14.3. Kerberos authentication indicators
Copiar enlace

Kerberos authentication indicators identify which pre-authentication mechanism a client used to obtain a ticket-granting ticket (TGT). Services can require specific authentication indicators to enforce security policies like smart card or two-factor authentication.

The indicators are:

otp
two-factor authentication (password + One-Time Password)
radius
RADIUS authentication (commonly for 802.1x authentication)
pkinit
PKINIT, smart card, or certificate authentication
hardened
hardened passwords (SPAKE or FAST)[1]

The KDC then attaches the authentication indicators from the TGT to any service ticket requests that stem from it. The KDC enforces policies such as service access control, maximum ticket lifetime, and maximum renewable age based on the authentication indicators.

Authentication indicators and IdM services
If you associate a service or a host with an authentication indicator, only clients that used the corresponding authentication mechanism to obtain a TGT will be able to access it. The KDC, not the application or service, checks for authentication indicators in service ticket requests, and grants or denies requests based on Kerberos connection policies.

If a service or a host has no authentication indicators assigned to it, it will accept tickets authenticated by any mechanism.

14.4. Enforcing authentication indicators for an IdM service
Copiar enlace

Enforce authentication indicators for an Identity Management (IdM) service to require specific pre-authentication methods for access. This ensures that only users who authenticated with stronger methods, such as one-time passwords, can access security-critical services.

Authentication mechanisms in IdM vary in their security strength. For example, obtaining a ticket-granting ticket (TGT) using a one-time password (OTP) combined with a password is more secure than using only a password. By associating authentication indicators with a particular IdM service, you can configure the service so that only users who used specific pre-authentication mechanisms to obtain their initial TGT will be able to access it.

In this way, you can configure different IdM services so that:

  • Only users who used a stronger authentication method to obtain their initial TGT, such as a one-time password (OTP), can access services critical to security, such as a VPN.
  • Users who used simpler authentication methods to obtain their initial TGT, such as a password, can only access non-critical services, such as local logins.

Figure 14.1. Example of authenticating using different technologies

auth indicators

This procedure describes creating an IdM service and configuring it to require particular Kerberos authentication indicators from incoming service ticket requests.

14.4.1. Creating an IdM service entry and its Kerberos keytab
Copiar enlace

Create service entries in Identity Management (IdM) to generate Kerberos principals and enable SSL certificate or Kerberos keytab requests. Service entries establish secure identities for applications and automate credential management without using cleartext passwords.

Prerequisites

  • Your service can store a Kerberos principal, an SSL certificate, or both.

Procedure

  1. Add an IdM service with the ipa service-add command to create a Kerberos principal associated with it. For example, to create the IdM service entry for the testservice application that runs on host client.example.com: 

    [root@client ~]# ipa service-add testservice/client.example.com
-------------------------------------------------------------
Modified service "testservice/client.example.com@EXAMPLE.COM"
-------------------------------------------------------------
  Principal name: testservice/client.example.com@EXAMPLE.COM
  Principal alias: testservice/client.example.com@EXAMPLE.COM
  Managed by: client.example.com

  2. Generate and store a Kerberos keytab for the service on the client. 

    [root@client ~]# ipa-getkeytab -k /etc/testservice.keytab -p testservice/client.example.com
Keytab successfully retrieved and stored in: /etc/testservice.keytab

Verification

  1. Display information about an IdM service with the ipa service-show command. 

    [root@server ~]# ipa service-show testservice/client.example.com
  Principal name: testservice/client.example.com@EXAMPLE.COM
  Principal alias: testservice/client.example.com@EXAMPLE.COM
  Keytab: True
  Managed by: client.example.com

  2. Display the contents of the service’s Kerberos keytab with the klist command. 

    [root@server etc]# klist -ekt /etc/testservice.keytab
Keytab name: FILE:/etc/testservice.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 04/01/2020 17:52:55 testservice/client.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 04/01/2020 17:52:55 testservice/client.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 04/01/2020 17:52:55 testservice/client.example.com@EXAMPLE.COM (camellia128-cts-cmac)
   2 04/01/2020 17:52:55 testservice/client.example.com@EXAMPLE.COM (camellia256-cts-cmac)

Require specific authentication methods for accessing services using the Identity Management (IdM) CLI by configuring authentication indicators. With authentication indicators configured, you can enforce stronger authentication like two-factor or smart cards for sensitive services.

For example, you can ensure that only users who used a valid IdM two-factor authentication token with their password when obtaining a Kerberos ticket-granting ticket (TGT) will be able to access that host or service.

Follow this procedure to configure a service to require particular Kerberos authentication indicators from incoming service ticket requests.

When you configure a service, you must specify authentication indicators using the --auth-ind argument. Common --auth-ind values include:

otp
For two-factor authentication.
radius
For RADIUS authentication.
pkinit
For PKINIT, smart card, or certificate authentication.
hardened
For hardened passwords (SPAKE or FAST).

Prerequisites

Warning

Do not assign authentication indicators to internal IdM services. The following IdM services cannot perform the interactive authentication steps required by PKINIT and multi-factor authentication methods: 

host/server.example.com@EXAMPLE.COM
HTTP/server.example.com@EXAMPLE.COM
ldap/server.example.com@EXAMPLE.COM
DNS/server.example.com@EXAMPLE.COM
cifs/server.example.com@EXAMPLE.COM

Procedure

  • Use the ipa service-mod command to specify one or more required authentication indicators for a service, identified with the --auth-ind argument.

    For example, to require that a user was authenticated with smart card or OTP authentication to retrieve a service ticket for the testservice principal on host client.example.com: 

    [root@server ~]# ipa service-mod testservice/client.example.com@EXAMPLE.COM --auth-ind otp --auth-ind pkinit
-------------------------------------------------------------
Modified service "testservice/client.example.com@EXAMPLE.COM"
-------------------------------------------------------------
  Principal name: testservice/client.example.com@EXAMPLE.COM
  Principal alias: testservice/client.example.com@EXAMPLE.COM
  Authentication Indicators: otp, pkinit
  Managed by: client.example.com

  • To remove all authentication indicators from a service, provide an empty list of indicators: 

    [root@server ~]# ipa service-mod testservice/client.example.com@EXAMPLE.COM --auth-ind ''
------------------------------------------------------
Modified service "testservice/client.example.com@EXAMPLE.COM"
------------------------------------------------------
  Principal name: testservice/client.example.com@EXAMPLE.COM
  Principal alias: testservice/client.example.com@EXAMPLE.COM
  Managed by: client.example.com

Verification

  • Display information about an IdM service, including the authentication indicators it requires, with the ipa service-show command. 

    [root@server ~]# ipa service-show testservice/client.example.com
  Principal name: testservice/client.example.com@EXAMPLE.COM
  Principal alias: testservice/client.example.com@EXAMPLE.COM
  Authentication Indicators: otp, pkinit
  Keytab: True
  Managed by: client.example.com

Require specific authentication methods for accessing services using the Identity Management (IdM) Web UI by configuring authentication indicators. With authentication indicators configured, you can enforce stronger authentication like two-factor or smart cards for sensitive services.

For example, you can ensure that only users who used a valid IdM two-factor authentication token with their password when obtaining a Kerberos ticket-granting ticket (TGT) will be able to access that host or service.

Follow this procedure to use the IdM Web UI to configure a host or service to require particular Kerberos authentication indicators from incoming ticket requests.

Prerequisites

  • You have logged in to the IdM Web UI as an administrative user.

Procedure

  1. Select Identity Hosts or Identity Services.
  2. Click the name of the required host or service.

  3. Under Authentication indicators, select the required authentication method.

    • For example, selecting OTP ensures that only users who used a valid IdM two-factor authentication token with their password when obtaining a Kerberos TGT will be able to access the host or service.
    • If you select both OTP and RADIUS, then both users that used a valid IdM two-factor authentication token with their password when obtaining a Kerberos TGT and users that used the RADIUS server for obtaining their Kerberos TGT will be allowed access.
  4. Click Save at the top of the page.

14.4.4. Retrieving a Kerberos service ticket for an IdM service
Copiar enlace

Retrieve a Kerberos service ticket for an Identity Management (IdM) service to verify that Kerberos ticket policies, such as required authentication indicators, are enforced correctly for that service.

Prerequisites

Procedure

  • Use the kvno command with the -S option to retrieve a service ticket, and specify the name of the IdM service and the fully-qualified domain name of the host that manages it. 

    [root@server ~]# kvno -S testservice client.example.com
testservice/client.example.com@EXAMPLE.COM: kvno = 1
    Note

    If you need to access an IdM service and your current ticket-granting ticket (TGT) does not possess the required Kerberos authentication indicators associated with it, clear your current Kerberos credentials cache with the kdestroy command and retrieve a new TGT: 

    [root@server ~]# kdestroy

    For example, if you initially retrieved a TGT by authenticating with a password, and you need to access an IdM service that has the pkinit authentication indicator associated with it, destroy your current credentials cache and re-authenticate with a smart card. See Kerberos authentication indicators.

Verification

  • Use the klist command to verify that the service ticket is in the default Kerberos credentials cache. 

    [root@server etc]# klist_
Ticket cache: KCM:1000
Default principal: admin@EXAMPLE.COM

Valid starting       Expires              Service principal
04/01/2020 12:52:42  04/02/2020 12:52:39  krbtgt/EXAMPLE.COM@EXAMPLE.COM
04/01/2020 12:54:07 04/02/2020 12:52:39 testservice/client.example.com@EXAMPLE.COM

14.5. Configuring the global ticket lifecycle policy
Copiar enlace

Adjust the global Kerberos ticket policy in Identity Management (IdM) to set baseline security requirements for all users and services. Global policies help maintain consistent authentication security across your entire environment.

The global ticket policy applies to all service tickets and to users that do not have any per-user ticket policies defined.

While using the ipa krbtpolicy-mod command, specify at least one of the following arguments:

  • --maxlife for the maximum ticket lifetime in seconds
  • --maxrenew for the maximum renewable age in seconds

Procedure

  1. To modify the global ticket policy: 

    [root@server ~]# ipa krbtpolicy-mod --maxlife=$((8*60*60)) --maxrenew=$((24*60*60))
  Max life: 28800
  Max renew: 86400

    In this example, the maximum lifetime is set to eight hours (8 * 60 minutes * 60 seconds) and the maximum renewal age is set to one day (24 * 60 minutes * 60 seconds).

  2. Optional: To reset the global Kerberos ticket policy to the default installation values: 

    [root@server ~]# ipa krbtpolicy-reset
  Max life: 86400
  Max renew: 604800

Verification

  • Display the global ticket policy: 

    [root@server ~]# ipa krbtpolicy-show
  Max life: 28800
  Max renew: 86640

14.6. Configuring global ticket policies per authentication indicator
Copiar enlace

Set different Kerberos ticket lifetimes in Identity Management (IdM) based on authentication method to enforce stronger security policies for weaker authentication. With this, IdM can require more frequent re-authentication for password-only logins while permitting longer sessions for two-factor or smart card authentication.

These global settings apply to all users who do not have individual ticket policies configured. Use the ipa krbtpolicy-mod command to set maximum lifetime and maximum renewable age values for each authentication indicator.

Procedure

  • For example, to set the global two-factor ticket lifetime and renewal age values to one week, and the global smart card ticket lifetime and renewal age values to two weeks: 

    [root@server ~]# ipa krbtpolicy-mod --otp-maxlife=604800 --otp-maxrenew=604800 --pkinit-maxlife=172800 --pkinit-maxrenew=172800

Verification

  • Display the global ticket policy: 

    [root@server ~]# ipa krbtpolicy-show
  Max life: 86400
  OTP max life: 604800
  PKINIT max life: 172800
  Max renew: 604800
  OTP max renew: 604800
  PKINIT max renew: 172800

    Notice that the OTP and PKINIT values are different from the global default Max life and Max renew values.

14.7. Configuring the default ticket policy for a user
Copiar enlace

Define custom Kerberos ticket policies for individual users in Identity Management (IdM) to enforce specific security requirements. Per-user policies override global settings and ensure that the maximum ticket lifetime and renewal periods match a user’s specific role or risk level.

Use the ipa krbtpolicy-mod username command, and specify at least one of the following arguments:

  • --maxlife for the maximum ticket lifetime in seconds
  • --maxrenew for the maximum renewable age in seconds

Procedure

  1. For example, to set the IdM admin user’s maximum ticket lifetime to two days and maximum renewal age to two weeks: 

    [root@server ~]# ipa krbtpolicy-mod admin --maxlife=172800 --maxrenew=1209600
  Max life: 172800
  Max renew: 1209600

  2. Optional: To reset the ticket policy for a user: 

    [root@server ~]# ipa krbtpolicy-reset admin

Verification

  • Display the effective Kerberos ticket policy that applies to a user: 

    [root@server ~]# ipa krbtpolicy-show admin
  Max life: 172800
  Max renew: 1209600

Configure per-authentication indicator Kerberos ticket policies for users in Identity Management (IdM) to apply different ticket lifetime and renewal rules based on authentication method.

For example, you can configure a policy to allow the IdM admin user to renew a ticket for two days if it was obtained with OTP authentication, and a week if it was obtained with smart card authentication.

These per-authentication indicator settings will override the user’s default ticket policy, the global default ticket policy, and any global authentication indicator ticket policy.

Use the ipa krbtpolicy-mod username command to set custom maximum lifetime and maximum renewable age values for a user’s Kerberos tickets depending on the authentication indicators attached to them.

Procedure

  1. For example, to allow the IdM admin user to renew a Kerberos ticket for two days if it was obtained with One-Time Password authentication, set the --otp-maxrenew option: 

    [root@server ~]# ipa krbtpolicy-mod admin --otp-maxrenew=$((2*24*60*60))
  OTP max renew: 172800

  2. Optional: To reset the ticket policy for a user: 

    [root@server ~]# ipa krbtpolicy-reset username

Verification

  • Display the effective Kerberos ticket policy that applies to a user: 

    [root@server ~]# ipa krbtpolicy-show admin
  Max life: 28800
  Max renew: 86640

14.9. Authentication indicator options for the krbtpolicy-mod command
Copiar enlace

Configure different Kerberos ticket lifetime policies for each authentication method in Identity Management (IdM) using the krbtpolicy-mod command. With this, you can set stricter expiration policies for weaker authentication methods and more permissive policies for stronger ones.

Expand
Table 14.1. Authentication indicator options for the krbtpolicy-mod command
Authentication indicatorArgument for maximum lifetimeArgument for maximum renewal age

otp

--otp-maxlife

--otp-maxrenew

radius

--radius-maxlife

--radius-maxrenew

pkinit

--pkinit-maxlife

--pkinit-maxrenew

hardened

--hardened-maxlife

--hardened-maxrenew


[1] A hardened password is protected against brute-force password dictionary attacks by using Single-Party Public-Key Authenticated Key Exchange (SPAKE) pre-authentication and/or Flexible Authentication via Secure Tunneling (FAST) armoring.
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba