Fixing clock skew
Ben Creech
bpcreech at eos.ncsu.edu
Wed May 28 00:49:40 EDT 2003
Would you have the user stop the system clock until Father Time catches up?
Why, in particular, is it a bad thing? Are you hinting at something
security-related? Obviously some things will such as make-based systems
will need to be cleaned, etc, but I will assume that if the user clicks
"yes" to the dialog box that they're aware of the effects.
I would think that having a clock set into the future would be more of a
Bad Thing. Imagine the confusion when the jqpublic's coworkers find that
his Excel file sitting in AFS has been modified today, even though he's
been on vacation for a week. (OF course, with the Windows OpenAFS client
it's as likely to be dated 1969).
In general, storing and applying skew in the ccache is a technically
superior solution from the library author's standpoint, but for my purposes
(writing a front-end for a specific site), I think I will stick with
getting the user to fix their clock.
--On Tuesday, May 27, 2003 8:25 PM -0700 Frank Cusack <fcusack at fcusack.com>
wrote:
> On Fri, May 23, 2003 at 06:09:26PM -0400, Ben Creech wrote:
>> Yes, this was much easier than using the krb5_error. For my purposes, I
>> can just compare k5tgt.times.authtime to time(NULL), then fix the system
>> time and get the TGT again if necessary.
>
> Don't you risk setting your clock backwards? Which is a Bad Thing.
>
> /fc
More information about the krbdev
mailing list