[28569] in CVS-changelog-for-Kerberos-V5
krb5 commit: Document clock skew tolerance for ticket times
daemon@ATHENA.MIT.EDU (Tom Yu)
Mon Sep 8 21:03:23 2014
Date: Mon, 8 Sep 2014 21:03:18 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201409090103.s8913ICf023978@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/e56f3d43a746c198b1fd1889dc1211b9feedbfc3
commit e56f3d43a746c198b1fd1889dc1211b9feedbfc3
Author: Brett Randall <javabrett@gmail.com>
Date: Fri Sep 5 11:21:35 2014 +1000
Document clock skew tolerance for ticket times
KDC and application server checks on ticket start and expiration times
are subject to clock skew tolerance. Document this grace period.
[tlyu@mit.edu: edit commit message, adjust wording to conform to
existing style, document start time clock skew]
ticket: 8008 (new)
target_version: 1.13
tags: pullup
doc/admin/conf_files/krb5_conf.rst | 6 ++++++
doc/user/user_commands/kinit.rst | 5 +++++
2 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 2b219fb..6636c2f 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -126,6 +126,12 @@ The libdefaults section may contain any of the following relations:
library will tolerate before assuming that a Kerberos message is
invalid. The default value is 300 seconds, or five minutes.
+ The clockskew setting is also used when evaluating ticket start
+ and expiration times. For example, tickets that have reached
+ their expiration time can still be used (and renewed if they are
+ renewable tickets) if they have been expired for a shorter
+ duration than the **clockskew** setting.
+
**default_ccache_name**
This relation specifies the name of the default credential cache.
The default is |ccache|. This relation is subject to parameter
diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst
index c2b3b7f..72721c3 100644
--- a/doc/user/user_commands/kinit.rst
+++ b/doc/user/user_commands/kinit.rst
@@ -103,6 +103,11 @@ OPTIONS
expired ticket cannot be renewed, even if the ticket is still
within its renewable life.
+ Note that renewable tickets that have expired as reported by
+ :ref:`klist(1)` may sometimes be renewed using this option,
+ because the KDC applies a grace period to account for client-KDC
+ clock skew. See :ref:`krb5.conf(5)` **clockskew** setting.
+
**-k** [**-i** | **-t** *keytab_file*]
requests a ticket, obtained from a key in the local host's keytab.
The location of the keytab may be specified with the **-t**
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5