+2004-01-05 Sam Hartman <hartmans@mit.edu>
+
+ * kerberos_v4.c (kerberos_v4): Only backdate the rquest in the
+ issued ticket. Client libraries tend to verify that the
+ backdating falls within clockskew. a
+
2003-08-29 Ken Raeburn <raeburn@mit.edu>
* configure.in: Call KRB5_AC_NEED_DAEMON instead of checking
case AUTH_MSG_KDC_REQUEST:
{
-#ifdef notdef
- u_long time_ws; /* Workstation time */
-#endif
int req_life; /* Requested liftime */
+ unsigned int request_backdate = 0; /*How far to backdate
+ in seconds.*/
char *service; /* Service name */
char *instance; /* Service instance */
#ifdef notdef
* kerb_time, which is potentially problematic.
*/
if (v4endtime > v4req_end)
- kerb_time.tv_sec -= v4endtime - v4req_end;
+ request_backdate = v4endtime - v4req_end;
#ifdef NOENCRYPTION
memset(session_key, 0, sizeof(C_Block));
krb_create_ticket(tk, k_flags, a_name_data.name,
a_name_data.instance, local_realm,
client_host.s_addr, (char *) session_key,
- lifetime, kerb_time.tv_sec,
+ lifetime, kerb_time.tv_sec - request_backdate,
s_name_data.name, s_name_data.instance,
key);
projects / krb5.git / commitdiff