clock skew and preauth
Chris Hecker
checker at d6.com
Tue Mar 20 20:19:05 EDT 2012
Yeah, I'm still failing on the "preauth (timestamp)", so clearly I don't
understand how to get the challenge one called...
Chris
On 2012/03/20 16:55, Chris Hecker wrote:
>
>> Yes, that should work. It may not be universally deployed, but you
>> probably don't need to care. I'm surprised it didn't.
>
> I'm trying to debug it, and it's a 1.9.2 kdc right now, which has the ec
> type as an so, and I'm wondering if I'm screwing something up. It does
> load the so according to gdb.
>
> Also, the encrypted_challenge_main.c file does check this:
>
> if (labs(now-ts->patimestamp) < context->clockskew) {
>
> and gives the KRB5KRB_AP_ERR_SKEW error, which is the same check the
> timestamp preauth does, so I don't see how it could work. But, I'm
> having trouble getting gdb to break there, so I'm not sure it's getting
> called.
>
> Chris
>
>
>
> On 2012/03/20 15:26, Nico Williams wrote:
>> On Tue, Mar 20, 2012 at 5:06 PM, Chris Hecker <checker at d6.com> wrote:
>>> Ugh. Okay, I guess I'll try this if it's the best thing. I don't
>>> understand why the challenge preauth type didn't work, though, since the
>>> draft-ietf-krb-wg-preauth-framework seems to imply it will:
>>>
>>> The
>>> word challenge is used instead of timestamp because while the
>>> timestamp is used as an initial challenge, if the KDC and client do
>>> not have synchronized time, then the KDC can provide updated time to
>>> the client to use as a challenge.
>>
>> Yes, that should work. It may not be universally deployed, but you
>> probably don't need to care. I'm surprised it didn't.
>>
>>>
>>> You mention using krb5_init_creds_get_error(). How do I get the
>>> krb5_init_creds_context to pass to this? I'm using
>>> krb5_get_init_creds_keytab, which wraps all that stuff deeper down. Do I
>>> have to duplicate all the code in there?
>>
>> krb5_init_creds_init()
>>
>> Nico
>> --
>>
More information about the Kerberos
mailing list