[99406] in North American Network Operators' Group
Re: Question on Loosely Synchronized Router Clocks
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Sep 20 16:08:45 2007
Date: Thu, 20 Sep 2007 16:04:31 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "Brandon Galbraith" <brandon.galbraith@gmail.com>
Cc: "James R. Cutler" <james.cutler@consultant.com>, NANOG <nanog@merit.edu>
In-Reply-To: <366100670709201241q5cfa8bbfl9b0e26ee6083f86c@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
On Thu, 20 Sep 2007 14:41:16 -0500
"Brandon Galbraith" <brandon.galbraith@gmail.com> wrote:
> On 9/20/07, James R. Cutler <james.cutler@consultant.com> wrote:
> >
> > Kerberos does not assume clock synchronization.
> > Kerberos requires reasonable clock synchronization.
> > And, as near as I can tell, clock synchronization is not part of the
> > Kerberos protocol.
> >
> > Kick me if I err in this.
> >
> > Cutler
> >
>
> http://en.wikipedia.org/wiki/Kerberos_%28protocol%29#Kerberos_drawbacks<http://en.wikipedia.org/wiki/Kerberos_%2528protocol%2529#Kerberos_drawbacks>
>
> "Kerberos requires the clocks of the involved hosts to be
> synchronized. The tickets have time availability period and, if the
> host clock is not synchronized with the clock of Kerberos server, the
> authentication will fail. The default configuration requires that
> clock times are no more than 10 minutes apart. In practice,
> NTP<http://en.wikipedia.org/wiki/Network_Time_Protocol>daemons are
> usually employed to keep the host clocks synchronized."
That's correct, though I believe some versions use an offset hack.
The initial exchange with the Kerberos server is strongly
authenticated. It's used to issue a ticket-granting ticket; replay of
TGTs (and service tickets obtained via TGTs) partially relies on
synchronized clocks. The offset hack has the Kerberos server -- a
universally trusted party -- note and seal in the tickets -- the
client's time offset from KDC reality. Any services that accept the
tickets can use this value to correct for clock skew.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
