Make krb5int_check_clockskew() public?

Linus Nordberg linus at
Sun Oct 30 10:24:48 EDT 2011

Sam Hartman <hartmans at> wrote
Sat, 29 Oct 2011 18:35:08 -0400:

| Your ASN.1 decoder is mighty strange if it produces a structure
| depending on size of the armor key from an encrypted timestamp preauth.

The timestamp we're verifying here is not standardised and is hiding in
the nonce field of the PA-OTP-CHALLENGE.  The definition of the nonce
field was changed (in -18 IIRC) to make it possible to include a
timestamp in the nonce.  This relieves the KDC from holding state for

More information about the krbdev mailing list