krb5_timeofday() and krb5_get_time_offsets() usage

Greg Hudson ghudson at MIT.EDU
Wed Aug 13 10:51:50 EDT 2014


On 08/13/2014 05:14 AM, Petr Spacek wrote:
> - The application later uses krb5_cc_retrieve_cred() to get 
> creds.times.endtime value and to check that the ticket is still valid.

You can set an endtimes value in mcreds.times and specify the
KRB5_TC_MATCH_TIMES flag, and only credentials which expire after that
endtime will be matched.  You still need to use krb5_timeofday() to
produce an end time relative to the clock-adjusted current time, though.

> I can see that krb5_timeofday() from krb5-libs-1.11 does time offset 
> correction automatically for seconds but not for microseconds.

I don't think you need to worry about microseconds when there is a
five-minute margin on credential expiration.  Plenty of factors will
introduce small errors in time computations, including these: the time
offset is measured without taking into account communication latency,
the clock will have drifted since the initial ticket was acquired, the
ticket expiration time was computed without regard to the microseconds
value of the current KDC time.  If I were present at the time, I would
have argued against storing a microseconds value in the file ccache time
offset header on YAGNI grounds.


More information about the Kerberos mailing list