krb5.verify.credentials

This configuration parameter specifies whether to perform a spoofing check to verify a TGT for the local system.

By default, the agent verifies a user's TGT by retrieving and verifying a service ticket for the local system. This check is done to prevent a well-known attack (the Zanarotti or screen-saver attack) whereby a rogue KDC could respond to the agent’s request for the user’s TGT.

However, the spoofing check can be time consuming, so you can set this parameter to false to disable the spoofing check and significantly improve authentication performance.

For example, to disable the check:

krb5.verify.credentials: false

If this parameter is not defined in the configuration file, the default value is true.