[7496] in Kerberos
Re: implications of clock skew allowance
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Mon Jun 17 16:40:58 1996
To: P-Pomes@Qualcomm.com (Paul Pomes)
Cc: kerberos@MIT.EDU
In-Reply-To: P-Pomes's message of 14 Jun 1996 19:42:11 +0000.
<4psfaj$77c@qualcomm.com>
Date: Mon, 17 Jun 1996 15:16:46 -0400
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
> I requested a short lifetime ticket (kinit -l 5m) and found that it was
> good for twice as long as I thought due to the 5 minute clock skew allowance.
> Since everything we use is NTP sync'ed, I think I'll cut this to 15 seconds.
> This has the added benefit of letting us know more quickly when NTP goes
> south.
Remember that the 5-minute fuzz has to cover for all other delays
between the calls to krb5_mk_req on the client and krb5_rd_req on the
server.
If you set it as short as 15 seconds, you might have difficulty with
slow networks (e.g., demand-dialed links) and/or overloaded servers.
- Bill
