clock skew and preauth

[Nico Williams]

On Tue, Mar 20, 2012 at 5:06 PM, Chris Hecker <checker at d6.com> wrote:
> Ugh.  Okay, I guess I'll try this if it's the best thing.  I don't
> understand why the challenge preauth type didn't work, though, since the
> draft-ietf-krb-wg-preauth-framework seems to imply it will:
>
>   The
>   word challenge is used instead of timestamp because while the
>   timestamp is used as an initial challenge, if the KDC and client do
>   not have synchronized time, then the KDC can provide updated time to
>   the client to use as a challenge.

Yes, that should work.  It may not be universally deployed, but you
probably don't need to care.  I'm surprised it didn't.

>
> You mention using krb5_init_creds_get_error().  How do I get the
> krb5_init_creds_context to pass to this?  I'm using
> krb5_get_init_creds_keytab, which wraps all that stuff deeper down.  Do I
> have to duplicate all the code in there?

krb5_init_creds_init()

Nico
--