"Dan Mahoney (Gushi)" <d...@prime.gushi.org> writes: > 1) Is my "if it's on the host entry, it must be on the user entry" > basically accurate?
Yes. Therefore, because of this, unless you are *certain* that every principal that needs to authenticate to another principal will have requires pre-auth set, you should not set requires pre-auth on server principals. There is in general no strong reason to set requires pre-auth on randomly-generated keys unless you want to force exactly this client behavior. Yes, not having it set means that in theory an attacker can try to brute-force the randomly-generated key, but... it's randomly generated. So if there is any realistic chance of success in this, you have much larger problems. (I don't have off-the-cuff answers to your other questions.) -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
