On Tue, 2011-07-19 at 15:01 -0400, Ken Dreyer wrote: > I thought the "best practice" would be to set requires-preauth on > every principal? I don't want to give someone the ability to offline > attack any of my principals...
If I can successfully offline attack a random key, I'll just make a TGS request for your krbtgt and attack the resulting ticket. (I'd have to be able to authenticate as *someone* in your realm, but that's not a very high bar.) Luckily, nobody has the computational resources to successfully attack a random 128-bit or larger key, and there's a reasonable argument that no one ever will in the absence of practical quantum computing. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
