pkinit and passwords issues

Tom Yu tlyu at MIT.EDU
Tue Feb 16 09:57:09 EST 2010

Jeffrey Altman <jaltman at> writes:

> Setting a random password and setting it to never expire results in
> there being a password that can be brute forced over a long period of
> time and used as a backdoor.  It would be much better if a property on
> the principal simply indicated "no password authentication permitted"
> and be done with it.

The "randkey" operation sets a random key, not a random password, so
the risk here is a brute force attack on the keyspace of the cipher,
not a dictionary attack.  If you are using a cipher that has a
keyspace small enough to pose significant risk (e.g. single-DES), you
should consider using a stronger cipher.

There is still value in being able to disable password-based
authentication for a principal, such as a situation where the
administrator wants to keep a password-derived key around for a
principal but wants to temporarily disable password authentication for
policy reasons.

More information about the krbdev mailing list