Adam Lewenberg <ada...@stanford.edu> writes: > I am trying to understand the security benefits of requiring > pre-authentication.
> Consider this scenario: an attacker is trying to learn the password for > a service account, e.g., the principal used by the ssh service on some > server. The attacker already has the credentials for a user's account > (but not, of course, the service account he is attacking). The attacker > requests a service ticket for the account he is attacking. The attacker > then uses brute force (offline) to derive the service account's > password. > In the context where the attacker *already* has an account, requiring > pre-authentication does not help mitigate against this sort of attack.In > other words, pre-authentication helps against attacks from "outsiders" > but not from existing users. Assuming the attack is on a principal for which one can obtain service tickets, I believe this is correct. (This is one of the reasons why you should disable service tickets for user accounts unless you have a specific need for user-to-user authentication.) The primary defense against this attack for service accounts is that service accounts should always have a randomly-generated key, not a password, so brute force attacks on a service ticket to recover that key are infeasible (they're equivalent to a brute-force search of the entire key space, which should be large enough to make this impractical). Pre-authentication is primarily there to protect weak keys, such as any keys derived from a password. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>