projects / krb5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8d689ce) | patch
Allow preauth mechs to work with clock skew
authorGreg Hudson <ghudson@mit.edu>
Tue, 17 Apr 2012 04:07:34 +0000 (04:07 +0000)
committerGreg Hudson <ghudson@mit.edu>
Tue, 17 Apr 2012 04:07:34 +0000 (04:07 +0000)
commit5f39a4438eafd693a3eb8366bbc3901efe62e538
treefc738c1ef2b58474b2622c5e1937a22bd1eaeffatree | snapshot
parent8d689cea3561d5912db218a4fdf9bdf3c1c6d3b0commit | diff
Allow preauth mechs to work with clock skew

Add a clpreauth callback which gets the time of day using an offset
determined by the preauth-required error, and use it in encrypted
timestamp and encrypted challenge.  This timestamp is not necessarily
authenticated, but the security consequences for those preauth mechs
are minor (and can be mitigated by turning off kdc_timesync on
clients).

Based on a patch from Stef Walter.

ticket: 7114

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25808 dc483132-0cff-0310-8789-dd5450dbe970
src/include/k5-int.h diff | blob | history
src/include/krb5/preauth_plugin.h diff | blob | history
src/lib/krb5/krb/get_in_tkt.c diff | blob | history
src/lib/krb5/krb/preauth2.c diff | blob | history
src/lib/krb5/krb/preauth_ec.c diff | blob | history
src/lib/krb5/krb/preauth_encts.c diff | blob | history
src/lib/krb5/os/ustime.c diff | blob | history
src/tests/t_skew.py diff | blob | history
MIT implementation of the Kerberos network authentication protocol. This repo may be rebased, so don't base your work on it. Use git://github.com/krb5/krb5 instead.