clock skew and preauth
stefw at gnome.org
Thu Apr 5 12:31:40 EDT 2012
[Sorry this isn't a follow up to the previous thread on this topic. I
just joined the mailing list yesterday.]
I ran into the same problem as recently discussed on the mailing list,
with preauth encrypted-timestamp failing due to out of sync clocks.
That's despite kdc_timesync = 1.
Greg pointed out this patch:
In my opinion, the problem with that patch is we're using an
unauthenticated source (krb5_error->stime) to set the global time offset
for the entire library (and storing it in the cache file). This could
Attached is a patch which:
* Stores a timestamp offset in krb5_clpreauth_rock when preauth is
requested, and uses it during preauth encrypted timestamp.
* Exposes a new callback for client preauth plugins. Suggested
* Refactors krb5_us_timeofday() so we don't copy paste around
the offset calculation code.
* Uses an offset because of the prompting delay problem 
* Only enables preauth offsets if kdc_timesync != 0.
Does this look like a good approach? I'll file a PR for it if so.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 10366 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20120405/e3107568/attachment.bin
More information about the krbdev