Now that you have a solid understanding of the security issues and limitations of Kerberos, let’s examine how to work around these limitations and ensure that your Kerberos implementation is as secure as possible.
First, we will start with pre-authentication. The Microsoft Windows KDC is the only implementation of those covered in this book that requires clients to pre-authenticate by default. In some implementations, a command-line option or flag can be used to require all clients to use pre-authentication. Other implementations require the administrator to explicitly specify which principals need to pre-authenticate before being granted a TGT.
The MIT KDC allows administrators to require the use of pre-authentication on a per-principal basis. Pre-authentication can be enabled for a principal in the MIT KDC through the following kadmin command:
kadmin: modify_principal +requires_preauth principal
The Heimdal KDC also allows administrators to require the
use of pre-authentication on a per-principal basis. To require
pre-authentication for a principal in the Heimdal KDC database, use
modify principalMax ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes :
The Heimdal KDC also allows you to turn off pre-authentication on all principals when starting the KDC, for emergency or testing purposes. ...