Client clock skew detection
Kevin Coffman
kwc at citi.umich.edu
Thu Sep 4 11:23:07 EDT 2003
Is there any obvious problem with the following change in
verify_as_reply() to detect client clock skew at AS_REQ time rather
than at TGS_REQ time? (This diff is against 1.2.8)
diff -u -r1.1.1.2 lib/krb5/krb/get_in_tkt.c
--- get_in_tkt.c 6 May 2002 16:28:06 -0000 1.1.1.2
+++ get_in_tkt.c 4 Sep 2003 17:03:09 -0000
@@ -271,6 +271,14 @@
> context->clockskew))
return (KRB5_KDCREP_SKEW);
}
+
+ /*
+ * Check the KDC's idea of the current time against ours.
+ * If we are too far off, return skew error.
+ */
+ if (labs(as_reply->enc_part2->times.authtime - time_now) >
+ context->clockskew)
+ return (KRB5_KDCREP_SKEW);
+
return 0;
}
Thanks,
K.C.
More information about the krbdev
mailing list