Slightly confused by user-to-user authentication...

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Jul 7 21:02:05 EDT 2011


>It occurs to me that the current clock skew correction code (when
>things are set up so it works) only works on the client side; your
>application server still needs to have a correct clock.  So that would
>probably mean the "server" in U2U would need to have a correct clock
>(the "server" in this case is the guy who does NOT talk to the KDC).

Of course I _THEN_ realize that since the "server" in this case has
obviously talked to the KDC, he'll have clock skew correction
information available.  Sigh.  I'm not completely sure that the side that
processes AP_REQs handles that correctly (has that ever been tested?),
but it will be interesting to find out.

--Ken



More information about the Kerberos mailing list