when would you not want +requires_preauth?
Ken Dreyer
ktdreyer at ktdreyer.com
Tue Jul 19 15:01:24 EDT 2011
On Tue, Jul 19, 2011 at 12:39 PM, Greg Hudson <ghudson at mit.edu> wrote:
> The best practice is to set +requires-preauth (and probably
> -allow_tgs_req) on principals with password-derived keys and leave it
> unset on principals with random keys.
I thought the "best practice" would be to set requires-preauth on
every principal? I don't want to give someone the ability to offline
attack any of my principals...
More information about the Kerberos
mailing list