[99405] in North American Network Operators' Group
Re: Question on Loosely Synchronized Router Clocks
daemon@ATHENA.MIT.EDU (Brandon Galbraith)
Thu Sep 20 15:44:55 2007
Date: Thu, 20 Sep 2007 14:41:16 -0500
From: "Brandon Galbraith" <brandon.galbraith@gmail.com>
To: "James R. Cutler" <james.cutler@consultant.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <E1IYRXU-0001TS-N6@elasmtp-mealy.atl.sa.earthlink.net>
Errors-To: owner-nanog@merit.edu
------=_Part_29370_20687565.1190317276776
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On 9/20/07, James R. Cutler <james.cutler@consultant.com> wrote:
>
> Kerberos does not assume clock synchronization.
> Kerberos requires reasonable clock synchronization.
> And, as near as I can tell, clock synchronization is not part of the
> Kerberos protocol.
>
> Kick me if I err in this.
>
> Cutler
>
http://en.wikipedia.org/wiki/Kerberos_%28protocol%29#Kerberos_drawbacks<http://en.wikipedia.org/wiki/Kerberos_%2528protocol%2529#Kerberos_drawbacks>
"Kerberos requires the clocks of the involved hosts to be synchronized. The
tickets have time availability period and, if the host clock is not
synchronized with the clock of Kerberos server, the authentication will
fail. The default configuration requires that clock times are no more than
10 minutes apart. In practice,
NTP<http://en.wikipedia.org/wiki/Network_Time_Protocol>daemons are
usually employed to keep the host clocks synchronized."
------=_Part_29370_20687565.1190317276776
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<br><br><div><span class="gmail_quote">On 9/20/07, <b class="gmail_sendername">James R. Cutler</b> <<a href="mailto:james.cutler@consultant.com">james.cutler@consultant.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<font size="3">Kerberos does not assume clock synchronization.<br>
Kerberos requires reasonable clock synchronization.<br>
And, as near as I can tell, clock synchronization is not part of the
Kerberos protocol.<br><br>
Kick me if I err in this.<br><br>
Cutler</font></div></blockquote></div><br><a href="http://en.wikipedia.org/wiki/Kerberos_%2528protocol%2529#Kerberos_drawbacks">http://en.wikipedia.org/wiki/Kerberos_%28protocol%29#Kerberos_drawbacks</a><br><br>"Kerberos requires the clocks of the involved hosts to be synchronized.
The tickets have time availability period and, if the host clock is not
synchronized with the clock of Kerberos server, the authentication will
fail. The default configuration requires that clock times are no more
than 10 minutes apart. In practice, <a href="http://en.wikipedia.org/wiki/Network_Time_Protocol" title="Network Time Protocol">NTP</a> daemons are usually employed to keep the host clocks synchronized."<br>
------=_Part_29370_20687565.1190317276776--
