clock skew and preauth

Greg Hudson ghudson at MIT.EDU
Wed Mar 21 00:56:30 EDT 2012


On 03/21/2012 12:32 AM, Chris Hecker wrote:
> If I do that, I was going to add it as an option and contribute the
> diff.  But, is it going to be a big change to restart the process
> internally?  I haven't started looking yet.

You shouldn't need to restart the process.

A preauthenticated AS exchange almost always begins with a client
sending a non-preauthenticated request to the KDC and getting back a
preauth-required error.  You'd use the timestamp in this error to set
the clock offsets in the context before invoking the preauthentication
logic to construct the next request.


More information about the Kerberos mailing list