[krbdev.mit.edu #7063] Prompter delay can cause spurious clock skew
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Jan 9 12:11:31 EST 2012
When we make an AS request, by default we record the difference between
the system time and the reply's authtime in the context (in the
time_offset field of os_context). This offset is recorded when a ccache
is created and restored when a ccache is loaded.
If gak_fct takes a long time (because the user took a long time to enter
the password), we incorrectly compute a large negative time offset. To
fix this, we need to snapshot the system time when the reply is received,
before calling gak_fct, and use that snapshotted time after decrypting the
reply.
We can either do this by introducing a more sophisticated (perhaps
internal) API than krb5_set_real_time(), or we can just fudge the authtime
by the amount of time elapsed across the gak_fct call.
More information about the krb5-bugs
mailing list