Fixing clock skew

Ben Creech bpcreech at
Wed May 28 00:49:40 EDT 2003

Would you have the user stop the system clock until Father Time catches up?

Why, in particular, is it a bad thing?  Are you hinting at something 
security-related?  Obviously some things will such as make-based systems 
will need to be cleaned, etc, but I will assume that if the user clicks 
"yes" to the dialog box that they're aware of the effects.

I would think that having a clock set into the future would be more of a 
Bad Thing.  Imagine the confusion when the jqpublic's coworkers find that 
his Excel file sitting in AFS has been modified today, even though he's 
been on vacation for a week.  (OF course, with the Windows OpenAFS client 
it's as likely to be dated 1969).

In general, storing and applying skew in the ccache is a technically 
superior solution from the library author's standpoint, but for my purposes 
(writing a front-end for a specific site), I think I will stick with 
getting the user to fix their clock.

--On Tuesday, May 27, 2003 8:25 PM -0700 Frank Cusack <fcusack at> 

> On Fri, May 23, 2003 at 06:09:26PM -0400, Ben Creech wrote:
>> Yes, this was much easier than using the krb5_error.  For my purposes, I
>> can just compare k5tgt.times.authtime to time(NULL), then fix the system
>> time and get the TGT again if necessary.
> Don't you risk setting your clock backwards?  Which is a Bad Thing.
> /fc

More information about the krbdev mailing list