clock skew and preauth

Tom Yu tlyu at MIT.EDU
Sun Apr 15 23:52:30 EDT 2012

Greg Hudson <ghudson at MIT.EDU> writes:

> I have one concern about this approach, which is that an attacker could
> create a false log entry for a successful preauthentication on the KDC
> by forging the timestamp in a preauth-required error.  That is, you
> attempt to kinit at noon; I forge a timestamp of 11pm in the
> preauth-required error and capture your preauthenticated request; then
> at 11pm I send that request to the KDC to make it look like you
> authenticated at that time.
> This isn't necessarily a serious enough vulnerability to worry about
> (when the alternative is for preauth to just fail with skewed clocks),
> but I want to raise the issue before taking the patch.

I think it's OK as long as we clearly communicate the auditing
consequences in our documentation and elsewhere.  Does anyone see a
security consequence besides auditing?

More information about the krbdev mailing list