clock skew and preauth
Chris Hecker
checker at d6.com
Wed Mar 21 20:10:16 EDT 2012
Yep, super trivial change, and works perfectly. Here's the patch for
1.10.1:
=== modified file 'src/lib/krb5/krb/get_in_tkt.c'
--- src/lib/krb5/krb/get_in_tkt.c 2012-02-14 01:04:29 +0000
+++ src/lib/krb5/krb/get_in_tkt.c 2012-03-21 19:44:25 +0000
@@ -1329,6 +1329,11 @@
krb5_free_pa_data(context, ctx->preauth_to_use);
ctx->preauth_to_use = ctx->err_padata;
ctx->err_padata = NULL;
+ if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME)
{
+ code =
krb5_set_real_time(context,ctx->err_reply->stime,ctx->err_reply->susec
);
+ if (code)
+ goto cleanup;
+ }
/* this will trigger a new call to krb5_do_preauth() */
krb5_free_error(context, ctx->err_reply);
ctx->err_reply = NULL;
Thanks a ton as usual, guys!
Will this be integrated in?
Chris
On 2012/03/21 12:08, Chris Hecker wrote:
You shouldn't need to restart the process.
Yeah, it looks like this is going to be trivial using kdc_timesync and
the preauth_required if statement. Patch soon.
Chris
On 2012/03/20 21:56, Greg Hudson wrote:
On 03/21/2012 12:32 AM, Chris Hecker wrote:
If I do that, I was going to add it as an option and contribute the
diff. But, is it going to be a big change to restart the process
internally? I haven't started looking yet.
You shouldn't need to restart the process.
A preauthenticated AS exchange almost always begins with a client
sending a non-preauthenticated request to the KDC and getting back a
preauth-required error. You'd use the timestamp in this error to set
the clock offsets in the context before invoking the preauthentication
logic to construct the next request.
More information about the Kerberos
mailing list