Client clock skew detection
kwc at citi.umich.edu
Thu Sep 4 11:23:07 EDT 2003
Is there any obvious problem with the following change in
verify_as_reply() to detect client clock skew at AS_REQ time rather
than at TGS_REQ time? (This diff is against 1.2.8)
diff -u -r126.96.36.199 lib/krb5/krb/get_in_tkt.c
--- get_in_tkt.c 6 May 2002 16:28:06 -0000 188.8.131.52
+++ get_in_tkt.c 4 Sep 2003 17:03:09 -0000
@@ -271,6 +271,14 @@
+ * Check the KDC's idea of the current time against ours.
+ * If we are too far off, return skew error.
+ if (labs(as_reply->enc_part2->times.authtime - time_now) >
+ return (KRB5_KDCREP_SKEW);
More information about the krbdev