I am trying to understand the security benefits of requiring
Consider this scenario: an attacker is trying to learn the password for
a service account, e.g., the principal used by the ssh service on some
server. The attacker already has the credentials for a user's account
(but not, of course, the service account he is attacking). The attacker
requests a service ticket for the account he is attacking. The attacker
then uses brute force (offline) to derive the service account's password.
In the context where the attacker *already* has an account, requiring
pre-authentication does not help mitigate against this sort of attack.In
other words, pre-authentication helps against attacks from "outsiders"
but not from existing users.
Is this correct?
Thanks, Adam Lewenberg