clock skew and preauth

Chris Hecker checker at
Thu Apr 5 17:14:43 EDT 2012

Cool, thanks for doing the more clued version!  Let me know if/when you
want me to test this.

It's all client-side, right?


On 2012/04/05 09:31, Stef Walter wrote:
> [Sorry this isn't a follow up to the previous thread on this topic. I
> just joined the mailing list yesterday.]
> I ran into the same problem as recently discussed on the mailing list,
> with preauth encrypted-timestamp failing due to out of sync clocks.
> That's despite kdc_timesync = 1.
> Greg pointed out this patch:
> In my opinion, the problem with that patch is we're using an
> unauthenticated source (krb5_error->stime) to set the global time offset
> for the entire library (and storing it in the cache file). This  could
> be abused.
> Attached is a patch which:
>  * Stores a timestamp offset in krb5_clpreauth_rock when preauth is
>    requested, and uses it during preauth encrypted timestamp.
>  * Exposes a new callback for client preauth plugins. Suggested
>    by Greg.
>  * Refactors krb5_us_timeofday() so we don't copy paste around
>    the offset calculation code.
>  * Uses an offset because of the prompting delay problem [1]
>  * Only enables preauth offsets if kdc_timesync != 0.
> Does this look like a good approach? I'll file a PR for it if so.
> Cheers,
> Stef
> [1]

More information about the krbdev mailing list