Fixing clock skew

Derek Atkins warlord at MIT.EDU
Tue May 20 18:28:48 EDT 2003

Note that the krb_err is potentially unauthenticated, so someone
could attack your client by sending you bogus krb_err replies.
Probably not a major vulnerability, but certainly something to think
about..  An authenticated krb_err would fix this, but that should
get discussed within the krb-wg, not here.


Ben Creech <bpcreech at> writes:

> Is there any way, from the library user's standpoint, to get the
> krb5_error::stime out of TGS replies with KRB5KRB_AP_ERR_SKEW?  If I
> could do that, I could fix the system time from my client program
> without having to worry about ntp or the like.
> It would be nice if we could (optionally) get the whole krb5_error
> structure or the equivalent (for that and other reasons), but looking
> at the source I don't suppose that's possible.  It looks like the data
> is unconditionally freed in krb5_get_cred_via_tkt without being
> stashed anywhere else first.
> I suppose it's not available for ABI compatibility reasons.  You guys
> take all the fun out of dll hell. :(
> _______________________________________________
> krbdev mailing list             krbdev at

       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL:    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the krbdev mailing list