when would you not want +requires_preauth?

Is there any reason I wouldn't want +requires_preauth on any user accounts? It looks like it doubles the number of connections to the KDC to get the tgt, but besides that additional load, is there any downside to doing it? Thanks, Chris

Re: when would you not want +requires_preauth?

On Tue, 2011-07-19 at 13:46 -0400, Chris Hecker wrote: Is there any reason I wouldn't want +requires_preauth on any user accounts? It looks like it doubles the number of connections to the KDC to get the tgt, but besides that additional load, is there any downside to doing it? Short

Re: when would you not want +requires_preauth?

On Tue, Jul 19, 2011 at 12:39 PM, Greg Hudson ghud...@mit.edu wrote: The best practice is to set +requires-preauth (and probably -allow_tgs_req) on principals with password-derived keys and leave it unset on principals with random keys. I thought the best practice would be to set

Re: when would you not want +requires_preauth?

On Tue, Jul 19, 2011 at 2:01 PM, Ken Dreyer ktdre...@ktdreyer.com wrote: On Tue, Jul 19, 2011 at 12:39 PM, Greg Hudson ghud...@mit.edu wrote: The best practice is to set +requires-preauth (and probably -allow_tgs_req) on principals with password-derived keys and leave it unset on principals

Re: when would you not want +requires_preauth?

On Tue, 2011-07-19 at 15:01 -0400, Ken Dreyer wrote: I thought the best practice would be to set requires-preauth on every principal? I don't want to give someone the ability to offline attack any of my principals... If I can successfully offline attack a random key, I'll just make a TGS

Re: leaking rcache opens in gss_accept_sec_context

On Jul 14, 2011, at 9:40 AM, Greg Hudson wrote: On Wed, 2011-07-13 at 15:33 -0400, Benjamin Coddington wrote: Anyway, calling gss_accept_sec_context this way allows svcgssd to create a context for any requested service name -- but the problem we found is that svcgssd opens the kerberos replay

Re: when would you not want +requires_preauth?

Ken Dreyer ktdre...@ktdreyer.com writes: On Tue, Jul 19, 2011 at 12:39 PM, Greg Hudson ghud...@mit.edu wrote: The best practice is to set +requires-preauth (and probably -allow_tgs_req) on principals with password-derived keys and leave it unset on principals with random keys. I thought the

Re: leaking rcache opens in gss_accept_sec_context

On Tue, 2011-07-19 at 16:21 -0400, Benjamin Coddington wrote: gss_acquire_cred gss_accept_sec_context gss_export_lucid_sec_context gss_delete_sec_context I found that before we got to gss_delete_sec_context(), we had already tried to clean up the context in