clock skew and preauth

Stef Walter stefw at
Thu Apr 5 16:21:07 EDT 2012

On 2012-04-05 20:44, Nico Williams wrote:
> On Thu, Apr 5, 2012 at 12:51 PM, Stef Walter <stefw at> wrote:
>> On 2012-04-05 19:48, Nico Williams wrote:
>>> If we're going to go this far, why not associate a realm name with
>>> each offset?  That way a multi-client-principal application can cope
>>> with each client realm having the wrong time.
>> Yes, I was going to look at that next ;)
>> But this preauth stuff is (and should be) conceptually separate. The
>> preauth server timestamp is untrusted, and so we shouldn't store it
>> anywhere. It's just to be used in the next encrypted timestamp preauth
>> reply. Essentially it becomes a challenge that we receive from the
>> server, which we respond to by encrypting it and sending it back.
> Ah, fair enough.  But what about the per-ccache time offset?  It
> normally gets stored in the krb5_context.

Will look at that next week sometime. Haven't yet played with the
multi-realm stuff that much.



More information about the krbdev mailing list