clock skew and preauth

Stef Walter stefw at
Thu Apr 5 12:31:40 EDT 2012

[Sorry this isn't a follow up to the previous thread on this topic. I
just joined the mailing list yesterday.]

I ran into the same problem as recently discussed on the mailing list,
with preauth encrypted-timestamp failing due to out of sync clocks.
That's despite kdc_timesync = 1.

Greg pointed out this patch:

In my opinion, the problem with that patch is we're using an
unauthenticated source (krb5_error->stime) to set the global time offset
for the entire library (and storing it in the cache file). This  could
be abused.

Attached is a patch which:

 * Stores a timestamp offset in krb5_clpreauth_rock when preauth is
   requested, and uses it during preauth encrypted timestamp.
 * Exposes a new callback for client preauth plugins. Suggested
   by Greg.
 * Refactors krb5_us_timeofday() so we don't copy paste around
   the offset calculation code.
 * Uses an offset because of the prompting delay problem [1]
 * Only enables preauth offsets if kdc_timesync != 0.

Does this look like a good approach? I'll file a PR for it if so.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Support-using-kdc-time-during-encrypted-timestamp-pr.patch
Type: text/x-patch
Size: 10366 bytes
Desc: not available
Url :

More information about the krbdev mailing list