Make krb5int_check_clockskew() public?
hartmans at MIT.EDU
Mon Oct 31 13:09:41 EDT 2011
>>>>> "Linus" == Linus Nordberg <linus at nordu.net> writes:
Linus> Sam Hartman <hartmans at mit.edu> wrote Sat, 29 Oct 2011
Linus> 18:35:08 -0400:
Linus> | Your ASN.1 decoder is mighty strange if it produces a
Linus> structure | depending on size of the armor key from an
Linus> encrypted timestamp preauth.
Linus> The timestamp we're verifying here is not standardised and is
Linus> hiding in the nonce field of the PA-OTP-CHALLENGE. The
Linus> definition of the nonce field was changed (in -18 IIRC) to
Linus> make it possible to include a timestamp in the nonce. This
Linus> relieves the KDC from holding state for this.
I thought you were dealing with the two-pass case.
Makes more sense now.
More information about the krbdev