[krbdev.mit.edu #8272] clock skew ignored in latest kerberos?
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Oct 26 19:13:13 EDT 2015
[aglo at umich.edu - Mon Oct 26 19:07:23 2015]:
> Steps to reproduce:
> 1. set client's clock either way ahead or way behind (hours)
> 2. do kinit and watch it succeed.
>
> While I don't know exactly when the problem started, but in
> krb-1.10.3, kinit worked correctly and produced an error.
If the "kdc_timesync" krb5.conf variable is true (as is the default),
the client will note the difference between its own clock and the
KDC's clock during authentication, and will apply that adjustment to
its clock whenever the tickets are used.
Prior to 1.12, the kdc_timesync functionality did not work when pre-
authentication was required. This was changed by issue #7657[1].
You can, of course, set "kdc_timesync = false" in the [libdefaults]
section of krb5.conf to suppress this behavior, whether or not pre-
authentication is used.
[1] http://krbdev.mit.edu/rt/Ticket/Display.html?id=7657
More information about the krb5-bugs
mailing list