when would you not want +requires_preauth?
Greg Hudson
ghudson at MIT.EDU
Tue Jul 19 14:39:31 EDT 2011
On Tue, 2011-07-19 at 13:46 -0400, Chris Hecker wrote:
> Is there any reason I wouldn't want +requires_preauth on any user
> accounts? It looks like it doubles the number of connections to the KDC
> to get the tgt, but besides that additional load, is there any downside
> to doing it?
Short answer: no real downside other than the latency and load of that
extra round trip.
Longer answer: requires-preauth has two effects (which should probably
be separate, but it's hard to pry them apart now). It makes preauth
required for an AS-REQ for that client principal, but it also means that
any TGS-REQ for that principal as a *server* must be made with tickets
that used preauth.
So if a principal might ever be used as a server, you don't want to set
requires-preauth on it unless requires-preauth has also been set (for
the last 10-24 hours or whatever) on every client which might access
that server.
The best practice is to set +requires-preauth (and probably
-allow_tgs_req) on principals with password-derived keys and leave it
unset on principals with random keys.
More information about the Kerberos
mailing list