Adam Lewenberg <ada...@stanford.edu> writes:

> I am trying to understand the security benefits of requiring
> pre-authentication.

> Consider this scenario: an attacker is trying to learn the password for
> a service account, e.g., the principal used by the ssh service on some
> server. The attacker already has the credentials for a user's account
> (but not, of course, the service account he is attacking). The attacker
> requests a service ticket for the account he is attacking. The attacker
> then uses brute force (offline) to derive the service account's
> password.

> In the context where the attacker *already* has an account, requiring
> pre-authentication does not help mitigate against this sort of attack.In
> other words, pre-authentication helps against attacks from "outsiders"
> but not from existing users.

Assuming the attack is on a principal for which one can obtain service
tickets, I believe this is correct.  (This is one of the reasons why you
should disable service tickets for user accounts unless you have a
specific need for user-to-user authentication.)

The primary defense against this attack for service accounts is that
service accounts should always have a randomly-generated key, not a
password, so brute force attacks on a service ticket to recover that key
are infeasible (they're equivalent to a brute-force search of the entire
key space, which should be large enough to make this impractical).

Pre-authentication is primarily there to protect weak keys, such as any
keys derived from a password.

-- 
Russ Allbery (ea...@eyrie.org)              <http://www.eyrie.org/~eagle/>

Reply via email to