when would you not want +requires_preauth?
Russ Allbery
rra at stanford.edu
Tue Jul 19 21:09:24 EDT 2011
Ken Dreyer <ktdreyer at ktdreyer.com> writes:
> On Tue, Jul 19, 2011 at 12:39 PM, Greg Hudson <ghudson at mit.edu> wrote:
>> The best practice is to set +requires-preauth (and probably
>> -allow_tgs_req) on principals with password-derived keys and leave it
>> unset on principals with random keys.
> I thought the "best practice" would be to set requires-preauth on
> every principal? I don't want to give someone the ability to offline
> attack any of my principals...
If you're starting from scratch with a new cell, I'd be inclined to do
this (although there can be some weird implications for cross-realm). If
you didn't start that way, getting there is really annoying due to the
existing intermingling of roles of require-preauth, and probably isn't
worth it for non-user principals.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list