Credential cache file format documentation
Tim Alsop
Tim.Alsop at CyberSafe.Com
Wed Sep 13 13:49:52 EDT 2006
Jeffery,
Without looking at our code, I cannot be sure of all of the cases where
we use the KDC IP address (stored in cache). However, one case where I
know it is used, is when we report it to the user, when they use "klist
-a". This allows the user to know which KDC (or KDCs) have a clock which
is out of sync with the client clock. For cache type 1,2 and 3 we store
the IP address of KDC in the ticket address field (e.g. the same place
where IP addresses are stored in tickets if requested during
AS-REQ/AS-REP exchange. We cannot assume that the clock on all KDCs for
a particular domain are in sync. Just like we cannot assume that the
client clock is in sync with the KDC.
Thanks,
Tim
-----Original Message-----
From: Jeffrey Hutzelman [mailto:jhutz at cmu.edu]
Sent: 13 September 2006 18:12
To: Tim Alsop; Simon Josefsson
Cc: kerberos at mit.edu; Jeffrey Hutzelman
Subject: RE: Credential cache file format documentation
On Wednesday, September 13, 2006 05:31:13 PM +0100 Tim Alsop
<Tim.Alsop at CyberSafe.Com> wrote:
> For cache type 1,2 and 3 we currently store deltatime info in a hidden
> ticket in the cache, and we also store the IP address of the KDC where
> the time offset came from. The deltatime header tag does not currently
> allow any way to store this ip address, so this is what we were
thinking
> of adding, into a new tag.
What do you use that information for?
More information about the Kerberos
mailing list