[127] in Kerberos
Time synchronization
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:31:38 1987
From miller%erlang.DEC@decwrl.DEC.COM Thu Oct 23 11:10:33 1986
Date: 23-Oct-1986 0948
From: miller%erlang.DEC@decwrl.DEC.COM (Steve Miller)
To: kerberos@athena.mit.edu (Distribution list @KERB)
Subject: Time synchronization
I tracked down a problem that Jim VanSciver was having with Kerberos,
and it turned out to be a time synchronization problem. The Kerberos
server itself was running over 3 minutes slow, while his workstation was
running fast. The net result was that the Kerberos server rejected
ticket-granting-ticket requests.
The current maximum time skew allowed by the protocol is 5 minutes.
Stretching this does not solve the problem, but only increases the number
of days clocks can drift before the problem bites you. It also increases
vulnerability to replays.
Therefore I would suggest the following:
a) The time on Kerberos servers is manually set by the Kerberos
administrator every couple of days (or more frequently.) The
Athena timeservice should not be automatically used for this,
since it could be spoofed, may not be accurate, and the time
exchange is not authenticated.
b) Workstations and time sharing systems should synchronize to
"real" time, using either the Athena time service or other
means, on a daily basis using some mechanism such as crontab.
c) A system/network manager should monitor the Timeserver time
to check for significant discrepancies. If the Kerberos time
and the timeserver time get too far out of synch, Kerberos
effectively will reject all requests from systems that synched
to the timeserver.
A more ambitious approach would be to make the timeserver a trusted, Athena
administered service using a Kerberos protocol to provide integrity
for certain requests. Then by adding a reliable source of the time, such
as a WWV receiver, things could stay correctly in synch. Of course, to boot
the "system" you still need a good external reference of time to setup the
Kerberos time before it talks to the timeserver.
So if wierd, intermittent Kerberos errors occur, check the time
synchronization.
Steve.
