[17554] in Kerberos_V5_Development
Re: clock skew and preauth
daemon@ATHENA.MIT.EDU (Chris Hecker)
Thu Apr 5 17:14:55 2012
Message-ID: <4F7E0B43.4050109@d6.com>
Date: Thu, 05 Apr 2012 14:14:43 -0700
From: Chris Hecker <checker@d6.com>
MIME-Version: 1.0
To: Stef Walter <stefw@gnome.org>
In-Reply-To: <4F7DC8EC.9090807@gnome.org>
Cc: Nico Williams <nico@cryptonector.com>, krbdev@mit.edu, tlyu@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Cool, thanks for doing the more clued version! Let me know if/when you
want me to test this.
It's all client-side, right?
Chris
On 2012/04/05 09:31, Stef Walter wrote:
> [Sorry this isn't a follow up to the previous thread on this topic. I
> just joined the mailing list yesterday.]
>
> I ran into the same problem as recently discussed on the mailing list,
> with preauth encrypted-timestamp failing due to out of sync clocks.
> That's despite kdc_timesync = 1.
>
> Greg pointed out this patch:
>
> http://mailman.mit.edu/pipermail/kerberos/2012-March/018014.html
>
> In my opinion, the problem with that patch is we're using an
> unauthenticated source (krb5_error->stime) to set the global time offset
> for the entire library (and storing it in the cache file). This could
> be abused.
>
> Attached is a patch which:
>
> * Stores a timestamp offset in krb5_clpreauth_rock when preauth is
> requested, and uses it during preauth encrypted timestamp.
> * Exposes a new callback for client preauth plugins. Suggested
> by Greg.
> * Refactors krb5_us_timeofday() so we don't copy paste around
> the offset calculation code.
> * Uses an offset because of the prompting delay problem [1]
> * Only enables preauth offsets if kdc_timesync != 0.
>
> Does this look like a good approach? I'll file a PR for it if so.
>
> Cheers,
>
> Stef
>
> [1] http://krbdev.mit.edu/rt/Ticket/Display.html?id=7063
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
