Make krb5int_check_clockskew() public?
Linus Nordberg
linus at nordu.net
Sun Oct 30 10:24:48 EDT 2011
Sam Hartman <hartmans at mit.edu> wrote
Sat, 29 Oct 2011 18:35:08 -0400:
| Your ASN.1 decoder is mighty strange if it produces a structure
| depending on size of the armor key from an encrypted timestamp preauth.
The timestamp we're verifying here is not standardised and is hiding in
the nonce field of the PA-OTP-CHALLENGE. The definition of the nonce
field was changed (in -18 IIRC) to make it possible to include a
timestamp in the nonce. This relieves the KDC from holding state for
this.
More information about the krbdev
mailing list