[570] in Kerberos
time skew problem - Kerberos vs. server
daemon@TELECOM.MIT.EDU (Jennifer Steiner)
Fri Jan 6 13:59:04 1989
To: kerberos@ATHENA.MIT.EDU
From: Jennifer Steiner <steiner@ATHENA.MIT.EDU>
The algorithm for checking timestamps (during
verification of authentication info) takes clock
skew into consideration when comparing the client
time and the server time. But it doesn't allow
for clock skew when comparing the ticket issue
time (Kerberos' timestamp) and the server time,
when figuring out whether the ticket has expired.
This means that if a ticket has a lifetime of
CLOCK_SKEW (5 minutes) or less (like the password-
changing ticket does, although that's not a great
example since the server happens to be on Kerberos),
the ticket may never be valid, even if the Kerberos
time and server time are within the allowed clock
skew.
Either the expiration should be extended by the
allowed clock skew, or tickets shouldn't be assigned
lifetimes less than or equal to the clock skew.
Comments?
Jennifer
