clock skew and preauth
Chris Hecker
checker at d6.com
Wed Mar 21 15:08:47 EDT 2012
> You shouldn't need to restart the process.
Yeah, it looks like this is going to be trivial using kdc_timesync and
the preauth_required if statement. Patch soon.
Chris
On 2012/03/20 21:56, Greg Hudson wrote:
> On 03/21/2012 12:32 AM, Chris Hecker wrote:
>> If I do that, I was going to add it as an option and contribute the
>> diff. But, is it going to be a big change to restart the process
>> internally? I haven't started looking yet.
>
> You shouldn't need to restart the process.
>
> A preauthenticated AS exchange almost always begins with a client
> sending a non-preauthenticated request to the KDC and getting back a
> preauth-required error. You'd use the timestamp in this error to set
> the clock offsets in the context before invoking the preauthentication
> logic to construct the next request.
>
More information about the Kerberos
mailing list