Supporting kdc_timesync offsets in memory credentials caches

Nate Rosenblum nater at
Wed Aug 29 14:38:18 EDT 2012


I was really pleased to see the support for clock skew w/ preauth
mechanisms that came in earlier this year. One thing that I've been
running up against lately is carrying these offsets across krb5
contexts. For example, the current project I'm working on uses the
krb5 interfaces to set up a credentials cache and authenticate, then
later imports credentials to use in the gssapi interfaces. The
file-based credentials caches persist the time offsets, but the memory
caches (which I'm using) do not, so while the initial authentication &
request for tgt succeed using the proper server time offsets, later
service ticket requests generated by gssapi calls will have a
different krb5_context w/o the proper offsets.

I've attached a patch that persists the skew offsets in kdc_timesync
mode in memory ccaches, as is done in v4 file caches. LMK what you



More information about the krbdev mailing list