when would you not want +requires_preauth?

Greg Hudson ghudson at MIT.EDU
Tue Jul 19 15:16:11 EDT 2011


On Tue, 2011-07-19 at 15:01 -0400, Ken Dreyer wrote:
> I thought the "best practice" would be to set requires-preauth on
> every principal? I don't want to give someone the ability to offline
> attack any of my principals...

If I can successfully offline attack a random key, I'll just make a TGS
request for your krbtgt and attack the resulting ticket.  (I'd have to
be able to authenticate as *someone* in your realm, but that's not a
very high bar.)

Luckily, nobody has the computational resources to successfully attack a
random 128-bit or larger key, and there's a reasonable argument that no
one ever will in the absence of practical quantum computing.





More information about the Kerberos mailing list