clock skew and preauth
Chris Hecker
checker at d6.com
Wed Mar 21 01:02:21 EDT 2012
Cool. Should I just put it on kdc_timesync then? I'm easy, somebody
with a clue just tell me what to do and I'll write the code. :)
Also, I haven't tested this yet, but will this all work with u2u tickets
correctly? I assume so, since in a thread a long time ago I asked about
this, but we didn't talk about preauth then. I guess this means all the
clients will just sync to the kdc's clock automatically so I'm assuming yes.
Thanks,
Chris
On 2012/03/20 21:56, Greg Hudson wrote:
> On 03/21/2012 12:32 AM, Chris Hecker wrote:
>> If I do that, I was going to add it as an option and contribute the
>> diff. But, is it going to be a big change to restart the process
>> internally? I haven't started looking yet.
>
> You shouldn't need to restart the process.
>
> A preauthenticated AS exchange almost always begins with a client
> sending a non-preauthenticated request to the KDC and getting back a
> preauth-required error. You'd use the timestamp in this error to set
> the clock offsets in the context before invoking the preauthentication
> logic to construct the next request.
>
More information about the Kerberos
mailing list