[ Team LiB ] [ Team LiB ]

6.3 Security Solutions

Now that you have a solid understanding of the security issues and limitations of Kerberos, lets examine how to work around these limitations and ensure that your Kerberos implementation is as secure as possible.

6.3.1 Requiring Pre-Authentication

First, we will start with pre-authentication. The Microsoft Windows KDC is the only implementation of those covered in this book that requires clients to pre-authenticate by default. In some implementations, a command-line option or flag can be used to require all clients to use pre-authentication. Other implementations require the administrator to explicitly specify which principals need to pre-authenticate before being granted a TGT. 6.3.1.1 MIT The MIT KDC allows administrators to require the use of pre-authentication on a per-principal basis. Pre-authentication can be enabled for a principal in the MIT KDC through the following kadmin command: kadmin: modify_principal +requires_preauth principal

6.3.1.2 Heimdal

The Heimdal KDC also allows administrators to require the use of pre-authentication on a per-principal basis. To require pre-authentication for a principal in the Heimdal KDC database, use the following kadmin command: kadmin modify principal Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes []:+requires-pre-auth The Heimdal KDC also allows you to turn off pre-authentication on all principals when starting the KDC, for emergency or testing purposes. The -p or --no-require-preauth switches disable pre-authentication checks for all principals until the KDC restarts. 6.3.1.3 Windows domain controllers The Windows domain controller KDC service enables pre-authentication for all principals by default. To view the current pre-authentication settings for a principal in the Windows Active Directory, use the following procedure: 1. 1. Log into a Windows machine that has the Active Directory administrative snap-ins installed. You must have Domain Administrator privileges to modify these settings. 2. [ Team LiB ] [ Team LiB ]