[7491] in Kerberos
implications of clock skew allowance
daemon@ATHENA.MIT.EDU (Paul Pomes)
Sat Jun 15 03:42:48 1996
To: kerberos@MIT.EDU
Date: 14 Jun 1996 19:42:11 GMT
From: P-Pomes@Qualcomm.com (Paul Pomes)
What is wrong with this picture?
% klist
Ticket cache: /tmp/K5C:0
Default principal: ppomes@GLOBALSTAR.COM
Valid starting Expires Service principal
14 Jun 96 12:27:34 14 Jun 96 12:32:31 krbtgt/GLOBALSTAR.COM@GLOBALSTAR.COM
14 Jun 96 12:32:05 14 Jun 96 12:32:31 host/hydra1.glab.globalstar.com@GLOBALSTAR.COM
14 Jun 96 12:33:49 14 Jun 96 12:32:31 host/lyra1.glab.globalstar.com@GLOBALSTAR.COM
14 Jun 96 12:35:26 14 Jun 96 12:32:31 host/draco1.glab.globalstar.com@GLOBALSTAR.COM
14 Jun 96 12:36:08 14 Jun 96 12:32:31 host/andromeda.glab.globalstar.com@GLOBALSTAR.COM
14 Jun 96 12:37:10 14 Jun 96 12:32:31 host/vega1.glab.globalstar.com@GLOBALSTAR.COM
14 Jun 96 12:37:28 14 Jun 96 12:32:31 host/vega2.glab.globalstar.com@GLOBALSTAR.COM
I requested a short lifetime ticket (kinit -l 5m) and found that it was
good for twice as long as I thought due to the 5 minute clock skew allowance.
Since everything we use is NTP sync'ed, I think I'll cut this to 15 seconds.
This has the added benefit of letting us know more quickly when NTP goes
south.
/pbp
--
Women's studies is a jumble of vulgarians, bunglers, whiners, French faddicts,
apparatchiks, doughface party-liners, pie-in-the-sky utopianists, and
bullying, sanctimonious sermonizers.
-- Camille Paglia
