On Tue, 2011-07-19 at 13:46 -0400, Chris Hecker wrote: > Is there any reason I wouldn't want +requires_preauth on any user > accounts? It looks like it doubles the number of connections to the KDC > to get the tgt, but besides that additional load, is there any downside > to doing it?
Short answer: no real downside other than the latency and load of that extra round trip. Longer answer: requires-preauth has two effects (which should probably be separate, but it's hard to pry them apart now). It makes preauth required for an AS-REQ for that client principal, but it also means that any TGS-REQ for that principal as a *server* must be made with tickets that used preauth. So if a principal might ever be used as a server, you don't want to set requires-preauth on it unless requires-preauth has also been set (for the last 10-24 hours or whatever) on every client which might access that server. The best practice is to set +requires-preauth (and probably -allow_tgs_req) on principals with password-derived keys and leave it unset on principals with random keys. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
