Use of clock_skew option on Client side krb5.conf file
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Jul 12 18:20:48 EDT 2006
On Monday, July 10, 2006 12:06:12 AM -0700 sandypossible at gmail.com wrote:
> Hi all,
>
> I have a query regaqrding specifying the clock_skew in the client side
> ( kerberos client) krb5.conf file. As I understand, the maximum
> allowable time skew is determined by KDC. Please let me know whether my
> understanding is correct.
>
> I want to understand the use of specifying the clock_skew in the client
> side krb5.conf file. For example on KDC krb5.conf file, the maximum
> allowable clock skew is say 600 seconds. On the client krb5.conf file I
> specify clock_skew = 1200 seconds. What will be the effect ? Will KDC
> accept the request if time difference is greater than 600 but with in
> 1200 ?
>
> Could you please explain?
The KDC determines the amount of skew acceptable between the time the
client _uses_ and the actual time on the KDC. Similarly, each Kerberos
application service determines the amount of skew acceptable between the
time the client uses and the actual time on the machine providing the
service. I beliece the clock_skew value in krb5.conf actually controls the
latter value - that is, it affects application servers, not clients.
RFC4120 describes a way to allow clients to operate with a clock that does
not agree with the KDC, as long as the client's clock is running at more or
less the correct _rate_, and as long as the clocks on the KDC and
application servers are sufficiently close. Many Kerberos implementations
support this technique, and will apply it automatically when needed.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list