[99408] in North American Network Operators' Group
RE: Question on Loosely Synchronized Router Clocks
daemon@ATHENA.MIT.EDU (Buhrmaster, Gary)
Thu Sep 20 18:52:55 2007
Date: Thu, 20 Sep 2007 15:51:31 -0700
In-Reply-To: <E1IYRXU-0001TS-N6@elasmtp-mealy.atl.sa.earthlink.net>
From: "Buhrmaster, Gary" <gtb@slac.stanford.edu>
To: "James R. Cutler" <james.cutler@consultant.com>, "NANOG" <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
> Kerberos does not assume clock synchronization.
> Kerberos requires reasonable clock synchronization.
To be more precise, Kerberos requires those systems
for which it is providing (authentication) services
to agree, within a configured (usually) 5-10 minutes.
There is no requirement that those systems have to
agree with anything else outside of their realm. =20
If a particular set of servers all agree that it is
currently Jan 10th, 1980, at 0913, Kerberos can be
fine with that.
Of course, usually, NTP (or something like that) is
used to keep all the servers "near" UTC, but keeping
clocks at UTC is not a Kerberos requirement.
> And, as near as I can tell, clock synchronization is not part=20
> of the Kerberos protocol.
It is not, but note that some localized distributions
of Kerberos clients did, indeed, ship with various time
synchronization tools before they were common on
platforms such as Windows and Mac, so some users may
have thought that installing Kerberos meant they got
clock synchronization.