Add new authentication indicators in kdc.conf.template

As of release 1.17, KDC can be configured to apply authentication
indicator for SPAKE, PKINIT, and encrypted challenge preauth via
FAST channel, which are not configured in current version of freeIPA.

Note that even though the value of encrypted_challenge_indicator is
attached only when encrypted challenge preauth is performed along
a FAST channel, it's possible to perform FAST without encrypted
challenge by using SPAKE. Since there is no reason to force clients
not to use SPAKE while using FAST, we made a design choice to merge
SPAKE and FAST in a new option called "Hardened Password", which
requires user to use at least one of SPAKE or FAST channel. Hence
same value attaching to both spake_preauth_indicator and
encrypted_challenge_indicator.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>

install/share/kdc.conf.template

@@ -17,4 +17,7 @@
   pkinit_anchors = FILE:$KDC_CERT
   pkinit_anchors = FILE:$CACERT_PEM
   pkinit_pool = FILE:$CA_BUNDLE_PEM
+  pkinit_indicator = pkinit
+  spake_preauth_indicator = hardened
+  encrypted_challenge_indicator = hardened
  }