clock skew and preauth

Tom Yu tlyu at MIT.EDU
Thu Mar 22 20:05:38 EDT 2012


Chris Hecker <checker at d6.com> writes:

>    Yep, super trivial change, and works perfectly.  Here's the patch for
>    1.10.1:
>    === modified file 'src/lib/krb5/krb/get_in_tkt.c'
>    --- src/lib/krb5/krb/get_in_tkt.c       2012-02-14 01:04:29 +0000
>    +++ src/lib/krb5/krb/get_in_tkt.c       2012-03-21 19:44:25 +0000
>    @@ -1329,6 +1329,11 @@
>                 krb5_free_pa_data(context, ctx->preauth_to_use);
>                 ctx->preauth_to_use = ctx->err_padata;
>                 ctx->err_padata = NULL;
>    +            if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME)
>    {
>    +                code =
>    krb5_set_real_time(context,ctx->err_reply->stime,ctx->err_reply->susec
>    );
>    +                if (code)
>    +                    goto cleanup;
>    +            }
>                 /* this will trigger a new call to krb5_do_preauth() */
>                 krb5_free_error(context, ctx->err_reply);
>                 ctx->err_reply = NULL;
>    Thanks a ton as usual, guys!
>    Will this be integrated in?

I'm still looking at it, trying to determine whether it could interact
poorly with the fix for #7063

  http://krbdev.mit.edu/rt/Ticket/Display.html?id=7063

though it looks like it might be safe.


More information about the Kerberos mailing list