clock skew and preauth

Stef Walter stefw at
Thu Apr 5 13:51:50 EDT 2012

On 2012-04-05 19:48, Nico Williams wrote:
> If we're going to go this far, why not associate a realm name with
> each offset?  That way a multi-client-principal application can cope
> with each client realm having the wrong time.

Yes, I was going to look at that next ;)

But this preauth stuff is (and should be) conceptually separate. The
preauth server timestamp is untrusted, and so we shouldn't store it
anywhere. It's just to be used in the next encrypted timestamp preauth
reply. Essentially it becomes a challenge that we receive from the
server, which we respond to by encrypting it and sending it back.



More information about the krbdev mailing list