Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Administration
Manual Administration Using kadmin
Chapter 6 181
Allow Duplicate Session Key Attribute
The Allow Duplicate Session Key attribute determines whether a
principal is allowed to use a duplicate session key. A duplicate session
key, applies to user-to-user authentication, determines which key is used
to encrypt the requested service tickets.
This setting controls the security protocol between an initiator,
typically a client application, and acceptor, typically a service. When a
user performs an action that causes the initiator application to request
for a duplicate session key:
• the initiator application sends two TGTs, the initiator’s and the
acceptor’s, as a request to the TGS (ticket-granting service), provided
this attribute is set. The service ticket returned to the initiator is
encrypted with the session key in the acceptor’s TGT
• the service ticket returned to the initiator application is encrypted
with the acceptor’s secret key, provided this attribute is not set
This attribute is set by default, thereby allowing an initiator application
to request for a duplicate session key for the acceptor’s application.
Principal accounts using duplicate session keys must be assigned the
Allow as Service Attribute.
To modify the parameter type attr for the principal admin, to set the
Allow Duplicate Session Key Attribute, you need to do the following:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno or quit) :attr
Attribute (or quit): {dskey|nodskey}
Principal modified.
Require Preauthentication Attribute
The Require Preauthentication attribute determines whether a
principal is required to preauthenticate when requesting for a TGT.
Preauthentication implies that the client logon program attaches known
encrypted data to a ticket request, providing additional security when
the TGT is presented to gain access to a secured service.
The Require Preauthentication attribute applies to user and service
principals. If this attribute is set for a,
• User principal, the user must run logon software that performs
authentication using the preauthentication protocol