SSH and The requires_pre_auth attribute

Russ Allbery eagle at
Mon Nov 23 16:51:46 EST 2020

"Dan Mahoney (Gushi)" <danm at> writes:

> 1) Is my "if it's on the host entry, it must be on the user entry" 
> basically accurate?


Therefore, because of this, unless you are *certain* that every principal
that needs to authenticate to another principal will have requires
pre-auth set, you should not set requires pre-auth on server principals.

There is in general no strong reason to set requires pre-auth on
randomly-generated keys unless you want to force exactly this client
behavior.  Yes, not having it set means that in theory an attacker can try
to brute-force the randomly-generated key, but... it's randomly generated.
So if there is any realistic chance of success in this, you have much
larger problems.

(I don't have off-the-cuff answers to your other questions.)

Russ Allbery (eagle at             <>

More information about the Kerberos mailing list