Slightly confused by user-to-user authentication...

Greg Hudson ghudson at MIT.EDU
Thu Jul 7 08:44:48 EDT 2011


On Thu, 2011-07-07 at 01:59 -0400, Chris Hecker wrote:
> One more question about user-to-user:  the FAQ says that the "Clocks 
> Adrift" paper's solution for not forcing clients to have synced clocks 
> is implemented in krb5.  How does this relate to user-to-user sessions? 

This should work for user-to-user sessions.  When a client gets initial
credentials, it learns its clock skew relative to the KDC.  (For
processes which come in later, the clock skew is remembered in
file-based ccaches.  If you use a different type of ccache, such as a
Linux keyring cache, this mechanism may not work.)  So both clients
should be pretending that their time is the KDC's time for the purpose
of Kerberos operations.





More information about the Kerberos mailing list