On Tue, Jul 19, 2011 at 12:39 PM, Greg Hudson <[email protected]> wrote: > The best practice is to set +requires-preauth (and probably > -allow_tgs_req) on principals with password-derived keys and leave it > unset on principals with random keys.
I thought the "best practice" would be to set requires-preauth on every principal? I don't want to give someone the ability to offline attack any of my principals... ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
