SSH and The requires_pre_auth attribute
Russ Allbery
eagle at eyrie.org
Mon Nov 23 16:51:46 EST 2020
"Dan Mahoney (Gushi)" <danm at prime.gushi.org> writes:
> 1) Is my "if it's on the host entry, it must be on the user entry"
> basically accurate?
Yes.
Therefore, because of this, unless you are *certain* that every principal
that needs to authenticate to another principal will have requires
pre-auth set, you should not set requires pre-auth on server principals.
There is in general no strong reason to set requires pre-auth on
randomly-generated keys unless you want to force exactly this client
behavior. Yes, not having it set means that in theory an attacker can try
to brute-force the randomly-generated key, but... it's randomly generated.
So if there is any realistic chance of success in this, you have much
larger problems.
(I don't have off-the-cuff answers to your other questions.)
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list