Kerberos authentication and Time Skew: does not always work
Sam Hartman
hartmans at MIT.EDU
Tue Sep 4 15:57:41 EDT 2007
>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com> writes:
Jeffrey> JC Ferguson wrote:
>> I understand the basic technique/theory behind allowing a
>> client to have skew as described in RFC 4120 and in more detail
>> the DGT96 reference in the RFC. I'm not sure how much of this
>> is already implemented in the MIT library, whether or not there
>> is a compile-time option I forgot to set to get it to work, or
>> whether or not there is a krb5.conf option I can set, etc.
Jeffrey> The ability to perform skew adjustment in the client when
Jeffrey> the KDC and service host are timed synchronized but the
Jeffrey> client is not requires the ability to store time offset
Jeffrey> information for the tickets in the credential cache. The
Jeffrey> MSLSA and API credential caches on Windows do not support
Jeffrey> this.
It's important to note that is not what SMB is doing based on the
protocol traces being reported.
More information about the krbdev
mailing list