[krbdev.mit.edu #8272] clock skew ignored in latest kerberos?
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Tue Oct 27 10:32:36 EDT 2015
[aglo at umich.edu - Tue Oct 27 09:09:30 2015]:
> Thank you for the explanation. One more question: does that allow
for
> acquiring a ticket for indeterminate future and allow user access
even
> though say that user's access should be revoked.
No. The KDC always issues tickets for its current time, and the KDC
and servers always enforce ticket endtimes based on their current
times. If you set the client's clock far in the future and kinit,
you're not getting a ticket which is valid far in the future; you are
getting a ticket which is valid right now, using clock correction.
The clock correction feature is not 100% risk-free, at least
analytically. In the absence of FAST or MS-KKDCP, the timestamp sent
from the KDC to the client is not protected against tampering.
Therefore, the client could be fooled into generating an encrypted
timestamp for the future, which an attacker could replay later in
order to get the KDC to issue a ticket. This attack has low value;
the attacker cannot decrypt the ticket without the client's long-term
key.
More information about the krb5-bugs
mailing list