Fixing clock skew

Nicolas Williams Nicolas.Williams at
Wed May 28 08:32:26 EDT 2003

On Wed, May 28, 2003 at 12:49:40AM -0400, Ben Creech wrote:
> Would you have the user stop the system clock until Father Time catches up?

Solaris' date command can adjust the time slowly, by slowing down or
speeding up the clock.

> Why, in particular, is it a bad thing?  Are you hinting at something 
> security-related?  Obviously some things will such as make-based systems 
> will need to be cleaned, etc, but I will assume that if the user clicks 
> "yes" to the dialog box that they're aware of the effects.

Replay caches.  The security of Kerberos V depneds on replay caching of
authenticators; this caching need only last for the maximum clock skew
tolerated by Kerberos (300 seconds, but this is configurable) so if you
set the clock back you might make some authenticators replayable.

> In general, storing and applying skew in the ccache is a technically 
> superior solution from the library author's standpoint, but for my purposes 
> (writing a front-end for a specific site), I think I will stick with 
> getting the user to fix their clock.

I wouldn't say superior.  It's a lot better than nothing though!


More information about the krbdev mailing list