when would you not want +requires_preauth?
Greg Hudson
ghudson at MIT.EDU
Tue Jul 19 15:16:11 EDT 2011
On Tue, 2011-07-19 at 15:01 -0400, Ken Dreyer wrote:
> I thought the "best practice" would be to set requires-preauth on
> every principal? I don't want to give someone the ability to offline
> attack any of my principals...
If I can successfully offline attack a random key, I'll just make a TGS
request for your krbtgt and attack the resulting ticket. (I'd have to
be able to authenticate as *someone* in your realm, but that's not a
very high bar.)
Luckily, nobody has the computational resources to successfully attack a
random 128-bit or larger key, and there's a reasonable argument that no
one ever will in the absence of practical quantum computing.
More information about the Kerberos
mailing list