From: Sam Hartman <hartmans@mit.edu>
Date: Mon, 5 Jan 2004 21:42:34 +0000 (+0000)
Subject: Only backdate the ticket that is created.  The KDC reply must contain
X-Git-Tag: krb5-1.4-beta1~667
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=87128182b464b26c6a14fbde5f44eda82b57163a;p=krb5.git

Only backdate the ticket that is created.  The KDC reply must contain
the time from the client's request or the client will fail its
clockskew check if the request is backdated too far.

Ticket: 2058
Target_Version: 1.3.2
Tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15965 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index 95ab68987..04af11ea7 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,9 @@
+2004-01-05  Sam Hartman  <hartmans@mit.edu>
+
+	* kerberos_v4.c (kerberos_v4): Only backdate the rquest in the
+	issued ticket.  Client libraries tend to verify that the
+	backdating falls within clockskew.  a
+
 2003-08-29  Ken Raeburn  <raeburn@mit.edu>
 
 	* configure.in: Call KRB5_AC_NEED_DAEMON instead of checking
diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c
index 01359792f..1d1ca702e 100644
--- a/src/kdc/kerberos_v4.c
+++ b/src/kdc/kerberos_v4.c
@@ -673,10 +673,9 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt)
 
     case AUTH_MSG_KDC_REQUEST:
 	{
-#ifdef notdef
-	    u_long  time_ws;	/* Workstation time */
-#endif
 	    int    req_life;	/* Requested liftime */
+	    unsigned int request_backdate =  0; /*How far to backdate
+						  in seconds.*/
 	    char   *service;	/* Service name */
 	    char   *instance;	/* Service instance */
 #ifdef notdef
@@ -749,7 +748,7 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt)
 	     * kerb_time, which is potentially problematic.
 	     */
 	    if (v4endtime > v4req_end)
-		kerb_time.tv_sec -= v4endtime - v4req_end;
+		request_backdate = v4endtime - v4req_end;
 
 #ifdef NOENCRYPTION
 	    memset(session_key, 0, sizeof(C_Block));
@@ -770,7 +769,7 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt)
 	    krb_create_ticket(tk, k_flags, a_name_data.name,
 			      a_name_data.instance, local_realm,
 			      client_host.s_addr, (char *) session_key,
-			      lifetime, kerb_time.tv_sec,
+			      lifetime, kerb_time.tv_sec - request_backdate,
 			      s_name_data.name, s_name_data.instance,
 			      key);