Adam Lewenberg <ada...@stanford.edu> writes:
> I am trying to understand the security benefits of requiring
> Consider this scenario: an attacker is trying to learn the password for
> a service account, e.g., the principal used by the ssh service on some
> server. The attacker already has the credentials for a user's account
> (but not, of course, the service account he is attacking). The attacker
> requests a service ticket for the account he is attacking. The attacker
> then uses brute force (offline) to derive the service account's
> In the context where the attacker *already* has an account, requiring
> pre-authentication does not help mitigate against this sort of attack.In
> other words, pre-authentication helps against attacks from "outsiders"
> but not from existing users.
Assuming the attack is on a principal for which one can obtain service
tickets, I believe this is correct. (This is one of the reasons why you
should disable service tickets for user accounts unless you have a
specific need for user-to-user authentication.)
The primary defense against this attack for service accounts is that
service accounts should always have a randomly-generated key, not a
password, so brute force attacks on a service ticket to recover that key
are infeasible (they're equivalent to a brute-force search of the entire
key space, which should be large enough to make this impractical).
Pre-authentication is primarily there to protect weak keys, such as any
keys derived from a password.
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>