Client clock skew detection
Kevin Coffman
kwc at citi.umich.edu
Thu Sep 4 13:32:17 EDT 2003
Or better yet, detect it at the KDC in validate_as_request(). Is there
a problem with this?
Thanks,
K.C.
Index: kdc_util.c
===================================================================
RCS file: /afs/umich.edu/group/itd/software/packages/k/kerberos-5/cvs/kr
b5/src/kdc/kdc_util.c,v
retrieving revision 1.6
diff -u -r1.6 kdc_util.c
--- kdc_util.c 30 Apr 2003 13:32:38 -0000 1.6
+++ kdc_util.c 4 Sep 2003 17:26:40 -0000
@@ -865,6 +865,13 @@
int errcode;
/*
+ * Check for client clock skew.
+ */
+ if (labs(kdc_time - request->nonce) > kdc_context->clockskew) {
+ *status = "CLIENT CLOCK SKEW";
+ return KRB_AP_ERR_SKEW;
+ }
+ /*
* If an illegal option is set, complain.
*/
if (request->kdc_options & ~(AS_OPTIONS_HANDLED)) {
More information about the krbdev
mailing list