krb5_timeofday() and krb5_get_time_offsets() usage
Petr Spacek
pspacek at redhat.com
Wed Aug 13 05:14:48 EDT 2014
Hello,
I would like to head your recommendation about correct
krb5_timeofday()/krb5_get_time_offsets() usage.
Example:
- An application calls krb5_get_init_creds_keytab() during start up and then
uses the ticket for a long time.
- The application later uses krb5_cc_retrieve_cred() to get
creds.times.endtime value and to check that the ticket is still valid.
- The goal is to make sure that the ticket is still valid before any attempt
to use it.
Is it enough to do something like this?
#define GUARD_TIME 300
krb5_timestamp now;
krb5_creds creds;
krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &creds);
krb5_timeofday(context, &now);
if (now > (creds.times.endtime - GUARD_TIME)) {
log("Credentials in cache expired");
renew_ticket();
}
I can see that krb5_timeofday() from krb5-libs-1.11 does time offset
correction automatically for seconds but not for microseconds.
Does it mean that application should do microseconds correction on it's own? E.g.:
krb5_timeofday(context, &now);
krb5_get_time_offsets(context, &kdc_time_offset, &kdc_time_offset_usec);
if (kdc_time_offset_usec > 0)
now++;
else if (kdc_time_offset_usec < 0)
now--;
Or - would it be possible to handle microseconds correction inside
krb5_timeofday()?
(I hope that I understood the semantics correctly, currently I don't see any
krb5_set_time_offsets() call with non-zero microseconds parameter.)
Thank you for your time.
--
Petr Spacek @ Red Hat
More information about the Kerberos
mailing list