[krbdev.mit.edu #8272] clock skew ignored in latest kerberos?
Olga Kornievskaia via RT
rt-comment at krbdev.mit.edu
Tue Oct 27 09:09:31 EDT 2015
On Mon, Oct 26, 2015 at 7:13 PM, Greg Hudson via RT
<rt-comment at krbdev.mit.edu> wrote:
> [aglo at umich.edu - Mon Oct 26 19:07:23 2015]:
>> Steps to reproduce:
>> 1. set client's clock either way ahead or way behind (hours)
>> 2. do kinit and watch it succeed.
>>
>> While I don't know exactly when the problem started, but in
>> krb-1.10.3, kinit worked correctly and produced an error.
>
> If the "kdc_timesync" krb5.conf variable is true (as is the default),
> the client will note the difference between its own clock and the
> KDC's clock during authentication, and will apply that adjustment to
> its clock whenever the tickets are used.
>
> Prior to 1.12, the kdc_timesync functionality did not work when pre-
> authentication was required. This was changed by issue #7657[1].
> You can, of course, set "kdc_timesync = false" in the [libdefaults]
> section of krb5.conf to suppress this behavior, whether or not pre-
> authentication is used.
>
> [1] http://krbdev.mit.edu/rt/Ticket/Display.html?id=7657
Thank you for the explanation. One more question: does that allow for
acquiring a ticket for indeterminate future and allow user access even
though say that user's access should be revoked.
More information about the krb5-bugs
mailing list