clock skew and preauth
Stef Walter
stefw at gnome.org
Thu Apr 5 12:31:40 EDT 2012
[Sorry this isn't a follow up to the previous thread on this topic. I
just joined the mailing list yesterday.]
I ran into the same problem as recently discussed on the mailing list,
with preauth encrypted-timestamp failing due to out of sync clocks.
That's despite kdc_timesync = 1.
Greg pointed out this patch:
http://mailman.mit.edu/pipermail/kerberos/2012-March/018014.html
In my opinion, the problem with that patch is we're using an
unauthenticated source (krb5_error->stime) to set the global time offset
for the entire library (and storing it in the cache file). This could
be abused.
Attached is a patch which:
* Stores a timestamp offset in krb5_clpreauth_rock when preauth is
requested, and uses it during preauth encrypted timestamp.
* Exposes a new callback for client preauth plugins. Suggested
by Greg.
* Refactors krb5_us_timeofday() so we don't copy paste around
the offset calculation code.
* Uses an offset because of the prompting delay problem [1]
* Only enables preauth offsets if kdc_timesync != 0.
Does this look like a good approach? I'll file a PR for it if so.
Cheers,
Stef
[1] http://krbdev.mit.edu/rt/Ticket/Display.html?id=7063
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Support-using-kdc-time-during-encrypted-timestamp-pr.patch
Type: text/x-patch
Size: 10366 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20120405/e3107568/attachment.bin
More information about the krbdev
mailing list