Does pre-authentication help against "insider" attacks?
Henry B (Hank) Hotz, CISSP
hbhotz at oxy.edu
Fri May 26 19:38:44 CEST 2017
> On May 26, 2017, at 11:44 AM, Viktor Dukhovni <heimdal at dukhovni.org> wrote:
> And in particular, "service accounts" (service principals) generally have
> random keys generated by cryptographically strong PRNG. They are typically
> (on Unix systems) not and should not be "password based".
> Now it is true that in Active Directory various services (SPNs)
> require domain a password for their domain account (there are
> no "keytab" files on Windows). It is up to the domain administrator
> to configure strong random passwords for such accounts.
In Heimdal that’s kadmin add —random-key . . . Don’t use kadmin add —random-password unless the (small) number of characters is OK for your application.
In MIT it’s kadmin addprinc -randkey.
Now for my question: In Windows it looks like you should be able to do something similar with “ktpass /pass +rndpass . . .”, but I’ve never been able to get that command accepted. Under what conditions does that option work?
Personal email. hbhotz at oxy.edu
More information about the Heimdal-discuss