[36373] in Kerberos
Re: krb5_timeofday() and krb5_get_time_offsets() usage
daemon@ATHENA.MIT.EDU (Petr Spacek)
Thu Aug 14 07:09:20 2014
Message-ID: <53EC98C9.7080002@redhat.com>
Date: Thu, 14 Aug 2014 13:08:57 +0200
From: Petr Spacek <pspacek@redhat.com>
MIME-Version: 1.0
To: Kerberos@mit.edu
In-Reply-To: <53EB7B86.9000902@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 13.8.2014 16:51, Greg Hudson wrote:
> On 08/13/2014 05:14 AM, Petr Spacek wrote:
>> - The application later uses krb5_cc_retrieve_cred() to get
>> creds.times.endtime value and to check that the ticket is still valid.
>
> You can set an endtimes value in mcreds.times and specify the
> KRB5_TC_MATCH_TIMES flag, and only credentials which expire after that
> endtime will be matched. You still need to use krb5_timeofday() to
> produce an end time relative to the clock-adjusted current time, though.
>
>> I can see that krb5_timeofday() from krb5-libs-1.11 does time offset
>> correction automatically for seconds but not for microseconds.
>
> I don't think you need to worry about microseconds when there is a
> five-minute margin on credential expiration. Plenty of factors will
Oh, I didn't realize that five-minute margin is still in place.
Thank you for clarification!
--
Petr Spacek @ Red Hat
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
