clock skew and preauth
Stef Walter
stefw at gnome.org
Thu Apr 5 13:51:50 EDT 2012
On 2012-04-05 19:48, Nico Williams wrote:
> If we're going to go this far, why not associate a realm name with
> each offset? That way a multi-client-principal application can cope
> with each client realm having the wrong time.
Yes, I was going to look at that next ;)
But this preauth stuff is (and should be) conceptually separate. The
preauth server timestamp is untrusted, and so we shouldn't store it
anywhere. It's just to be used in the next encrypted timestamp preauth
reply. Essentially it becomes a challenge that we receive from the
server, which we respond to by encrypting it and sending it back.
Cheers,
Stef
More information about the krbdev
mailing list