Ken Dreyer <[email protected]> writes: > On Tue, Jul 19, 2011 at 12:39 PM, Greg Hudson <[email protected]> wrote:
>> The best practice is to set +requires-preauth (and probably >> -allow_tgs_req) on principals with password-derived keys and leave it >> unset on principals with random keys. > I thought the "best practice" would be to set requires-preauth on > every principal? I don't want to give someone the ability to offline > attack any of my principals... If you're starting from scratch with a new cell, I'd be inclined to do this (although there can be some weird implications for cross-realm). If you didn't start that way, getting there is really annoying due to the existing intermingling of roles of require-preauth, and probably isn't worth it for non-user principals. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
