clock skew and preauth
Greg Hudson
ghudson at MIT.EDU
Sun Apr 15 18:37:56 EDT 2012
On 04/05/2012 12:31 PM, Stef Walter wrote:
> Attached is a patch which:
>
> * Stores a timestamp offset in krb5_clpreauth_rock when preauth is
> requested, and uses it during preauth encrypted timestamp.
> * Exposes a new callback for client preauth plugins. Suggested
> by Greg.
> * Refactors krb5_us_timeofday() so we don't copy paste around
> the offset calculation code.
> * Uses an offset because of the prompting delay problem [1]
> * Only enables preauth offsets if kdc_timesync != 0.
I have one concern about this approach, which is that an attacker could
create a false log entry for a successful preauthentication on the KDC
by forging the timestamp in a preauth-required error. That is, you
attempt to kinit at noon; I forge a timestamp of 11pm in the
preauth-required error and capture your preauthenticated request; then
at 11pm I send that request to the KDC to make it look like you
authenticated at that time.
This isn't necessarily a serious enough vulnerability to worry about
(when the alternative is for preauth to just fail with skewed clocks),
but I want to raise the issue before taking the patch.
More information about the krbdev
mailing list