Use of clock_skew option on Client side krb5.conf file

Jeffrey Hutzelman jhutz at cmu.edu
Wed Jul 12 18:20:48 EDT 2006



On Monday, July 10, 2006 12:06:12 AM -0700 sandypossible at gmail.com wrote:

> Hi all,
>
> I have a query regaqrding specifying the clock_skew in the client side
> ( kerberos client) krb5.conf file. As  I understand, the maximum
> allowable time skew is determined by KDC. Please let me know whether my
> understanding is correct.
>
> I want to understand the use of specifying the clock_skew in the client
> side krb5.conf file. For example on KDC krb5.conf file, the maximum
> allowable clock skew is say 600 seconds. On the client krb5.conf file I
> specify clock_skew = 1200 seconds. What will be the effect ? Will KDC
> accept the request if time difference is greater than 600 but with in
> 1200 ?
>
> Could you please explain?

The KDC determines the amount of skew acceptable between the time the 
client _uses_ and the actual time on the KDC.  Similarly, each Kerberos 
application service determines the amount of skew acceptable between the 
time the client uses and the actual time on the machine providing the 
service.  I beliece the clock_skew value in krb5.conf actually controls the 
latter value - that is, it affects application servers, not clients.


RFC4120 describes a way to allow clients to operate with a clock that does 
not agree with the KDC, as long as the client's clock is running at more or 
less the correct _rate_, and as long as the clocks on the KDC and 
application servers are sufficiently close.  Many Kerberos implementations 
support this technique, and will apply it automatically when needed.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA




More information about the Kerberos mailing list