clock skew and preauth

Chris Hecker checker at d6.com
Tue Mar 20 18:06:17 EDT 2012


Ugh.  Okay, I guess I'll try this if it's the best thing.  I don't
understand why the challenge preauth type didn't work, though, since the
draft-ietf-krb-wg-preauth-framework seems to imply it will:

   The
   word challenge is used instead of timestamp because while the
   timestamp is used as an initial challenge, if the KDC and client do
   not have synchronized time, then the KDC can provide updated time to
   the client to use as a challenge.


You mention using krb5_init_creds_get_error().  How do I get the
krb5_init_creds_context to pass to this?  I'm using
krb5_get_init_creds_keytab, which wraps all that stuff deeper down.  Do I
have to duplicate all the code in there?

Thanks,
Chris


On Tue, Mar 20, 2012 at 2:07 PM, Nico Williams <nico at cryptonector.com>wrote:

> For TGS reqs you can configure krb5.conf to correct for the local
> clock skew using the time from the TGS-REP.
>
> The client could do something similar for AS exchanges, using the
> clock from the KRB-ERROR to correct for local skew then try again.
> The client does not do this automatically now, but you can use
> krb5_init_creds_get_error() to get the error information and adjust
> the local clock using either krb5_set_time_offsets() or
> krb5_set_real_time(), then try again.
>
> Nico
> --
>


More information about the Kerberos mailing list