Fixing clock skew
Nicolas.Williams at sun.com
Tue May 20 19:18:13 EDT 2003
IIRC the MIT clients support the use of the time from the KDC's
KRB-ERROR to retry using the apparent offset to the KDC's time. The
ccache version 4 also supports storing this offset along with
credentials in the ccache. So if you get your config file options
right you can actually get time offsets from klist, authenticated time
offsets, mind you.
On Tue, May 20, 2003 at 06:28:48PM -0400, Derek Atkins wrote:
> Note that the krb_err is potentially unauthenticated, so someone
> could attack your client by sending you bogus krb_err replies.
> Probably not a major vulnerability, but certainly something to think
> about.. An authenticated krb_err would fix this, but that should
> get discussed within the krb-wg, not here.
> Ben Creech <bpcreech at eos.ncsu.edu> writes:
> > Is there any way, from the library user's standpoint, to get the
> > krb5_error::stime out of TGS replies with KRB5KRB_AP_ERR_SKEW? If I
> > could do that, I could fix the system time from my client program
> > without having to worry about ntp or the like.
> > It would be nice if we could (optionally) get the whole krb5_error
> > structure or the equivalent (for that and other reasons), but looking
> > at the source I don't suppose that's possible. It looks like the data
> > is unconditionally freed in krb5_get_cred_via_tkt without being
> > stashed anywhere else first.
> > I suppose it's not available for ABI compatibility reasons. You guys
> > take all the fun out of dll hell. :(
> > _______________________________________________
> > krbdev mailing list krbdev at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/krbdev
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> warlord at MIT.EDU PGP key available
> krbdev mailing list krbdev at mit.edu
More information about the krbdev