clock skew and preauth
Chris Hecker
checker at d6.com
Tue Mar 20 18:22:36 EDT 2012
Okay, I found some code in ksetpwd.c that seems to do this (although, it
stuffs a pointer to a stack variable into the opts struct and then
returns from the function, which seems kind of broken), and it looks
like this:
krb5_preauthtype preauth[] = { KRB5_PADATA_ENCRYPTED_CHALLENGE }; //
nb. ignore clock skew
krb5_get_init_creds_opt_set_preauth_list(options,preauth,sizeof(preauth)/sizeof(preauth[0]));
However, this doesn't fix the problem, the KDC still says the clock skew
is too great. Am I doing this right and it's just not going to work, or
do I need to do something more than this to get the KDC to ignore the
clock skew on preauth?
Thanks,
Chris
On 2012/03/20 13:59, Chris Hecker wrote:
>
> Hmm, it looks like there's a timestamp and a challenge preauth type, but
> I'm having trouble figuring out how to get it used...
>
> Chris
>
> On 2012/03/20 13:46, Chris Hecker wrote:
>>
>> For my video game that uses kerberos, I don't want to worry about clock
>> skew or requiring users to have synced clocks because that's a support
>> nightmare, but I also want to require preauth. I just ran into a
>> problem where it appears preauth (at least the kind I'm using) requires
>> synced clocks? Logins from a machine with the wrong time work if
>> -requires_preauth but I get this if +requires_preauth:
>>
>> krb5kdc[2467](info): preauth (timestamp) verify failure: Clock skew too
>> great
>>
>> Is there anything I can do about this?
>>
>> Thanks,
>> Chris
>>
More information about the Kerberos
mailing list