clock skew and preauth
Tom Yu
tlyu at MIT.EDU
Thu Mar 22 20:05:38 EDT 2012
Chris Hecker <checker at d6.com> writes:
> Yep, super trivial change, and works perfectly. Here's the patch for
> 1.10.1:
> === modified file 'src/lib/krb5/krb/get_in_tkt.c'
> --- src/lib/krb5/krb/get_in_tkt.c 2012-02-14 01:04:29 +0000
> +++ src/lib/krb5/krb/get_in_tkt.c 2012-03-21 19:44:25 +0000
> @@ -1329,6 +1329,11 @@
> krb5_free_pa_data(context, ctx->preauth_to_use);
> ctx->preauth_to_use = ctx->err_padata;
> ctx->err_padata = NULL;
> + if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME)
> {
> + code =
> krb5_set_real_time(context,ctx->err_reply->stime,ctx->err_reply->susec
> );
> + if (code)
> + goto cleanup;
> + }
> /* this will trigger a new call to krb5_do_preauth() */
> krb5_free_error(context, ctx->err_reply);
> ctx->err_reply = NULL;
> Thanks a ton as usual, guys!
> Will this be integrated in?
I'm still looking at it, trying to determine whether it could interact
poorly with the fix for #7063
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7063
though it looks like it might be safe.
More information about the Kerberos
mailing list