Does anyone actually want MIT's behavior of conflating requires_preauth behavior for servers and clients or should we split those out into separate flags? So, even now I'm not convinced that implementing random_to_key in terms of random_pass would be bad. I do think it is more complicated than I at first thought, but the benefits may justify it. --Sam