I am trying to understand the security benefits of requiring pre-authentication.

Consider this scenario: an attacker is trying to learn the password for a service account, e.g., the principal used by the ssh service on some server. The attacker already has the credentials for a user's account (but not, of course, the service account he is attacking). The attacker requests a service ticket for the account he is attacking. The attacker then uses brute force (offline) to derive the service account's password.

In the context where the attacker *already* has an account, requiring pre-authentication does not help mitigate against this sort of attack.In other words, pre-authentication helps against attacks from "outsiders" but not from existing users.

Is this correct?

Thanks, Adam Lewenberg

Reply via email to