clock skew and preauth
Nico Williams
nico at cryptonector.com
Tue Mar 20 17:07:53 EDT 2012
For TGS reqs you can configure krb5.conf to correct for the local
clock skew using the time from the TGS-REP.
The client could do something similar for AS exchanges, using the
clock from the KRB-ERROR to correct for local skew then try again.
The client does not do this automatically now, but you can use
krb5_init_creds_get_error() to get the error information and adjust
the local clock using either krb5_set_time_offsets() or
krb5_set_real_time(), then try again.
Nico
--
More information about the Kerberos
mailing list