[38850] in Kerberos
Re: SSH and The requires_pre_auth attribute
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Nov 23 16:54:39 2020
From: Russ Allbery <eagle@eyrie.org>
To: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>
In-Reply-To: <alpine.BSF.2.21.99999.352.2011231319290.843@prime.gushi.org>
(Dan Mahoney's message of "Mon, 23 Nov 2020 13:41:37 -0800 (PST)")
Date: Mon, 23 Nov 2020 13:51:46 -0800
Message-ID: <877dqbzqq5.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Dan Mahoney (Gushi)" <danm@prime.gushi.org> writes:
> 1) Is my "if it's on the host entry, it must be on the user entry"
> basically accurate?
Yes.
Therefore, because of this, unless you are *certain* that every principal
that needs to authenticate to another principal will have requires
pre-auth set, you should not set requires pre-auth on server principals.
There is in general no strong reason to set requires pre-auth on
randomly-generated keys unless you want to force exactly this client
behavior. Yes, not having it set means that in theory an attacker can try
to brute-force the randomly-generated key, but... it's randomly generated.
So if there is any realistic chance of success in this, you have much
larger problems.
(I don't have off-the-cuff answers to your other questions.)
--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
