clock skew and preauth
Chris Hecker
checker at d6.com
Thu Apr 5 17:14:43 EDT 2012
Cool, thanks for doing the more clued version! Let me know if/when you
want me to test this.
It's all client-side, right?
Chris
On 2012/04/05 09:31, Stef Walter wrote:
> [Sorry this isn't a follow up to the previous thread on this topic. I
> just joined the mailing list yesterday.]
>
> I ran into the same problem as recently discussed on the mailing list,
> with preauth encrypted-timestamp failing due to out of sync clocks.
> That's despite kdc_timesync = 1.
>
> Greg pointed out this patch:
>
> http://mailman.mit.edu/pipermail/kerberos/2012-March/018014.html
>
> In my opinion, the problem with that patch is we're using an
> unauthenticated source (krb5_error->stime) to set the global time offset
> for the entire library (and storing it in the cache file). This could
> be abused.
>
> Attached is a patch which:
>
> * Stores a timestamp offset in krb5_clpreauth_rock when preauth is
> requested, and uses it during preauth encrypted timestamp.
> * Exposes a new callback for client preauth plugins. Suggested
> by Greg.
> * Refactors krb5_us_timeofday() so we don't copy paste around
> the offset calculation code.
> * Uses an offset because of the prompting delay problem [1]
> * Only enables preauth offsets if kdc_timesync != 0.
>
> Does this look like a good approach? I'll file a PR for it if so.
>
> Cheers,
>
> Stef
>
> [1] http://krbdev.mit.edu/rt/Ticket/Display.html?id=7063
More information about the krbdev
mailing list