krb5_timeofday() and krb5_get_time_offsets() usage

Petr Spacek pspacek at redhat.com
Thu Aug 14 07:08:57 EDT 2014


On 13.8.2014 16:51, Greg Hudson wrote:
> On 08/13/2014 05:14 AM, Petr Spacek wrote:
>> - The application later uses krb5_cc_retrieve_cred() to get
>> creds.times.endtime value and to check that the ticket is still valid.
>
> You can set an endtimes value in mcreds.times and specify the
> KRB5_TC_MATCH_TIMES flag, and only credentials which expire after that
> endtime will be matched.  You still need to use krb5_timeofday() to
> produce an end time relative to the clock-adjusted current time, though.
>
>> I can see that krb5_timeofday() from krb5-libs-1.11 does time offset
>> correction automatically for seconds but not for microseconds.
>
> I don't think you need to worry about microseconds when there is a
> five-minute margin on credential expiration.  Plenty of factors will
Oh, I didn't realize that five-minute margin is still in place.

Thank you for clarification!

-- 
Petr Spacek  @  Red Hat


More information about the Kerberos mailing list