RT RT/krbdev.mit.edu: Ticket #7063 Prompter delay can cause spurious clock skew Signed in as guest.

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]


 The Basics  
0 min

 Keyword Selections  
  • 1.11

Depends on:
Depended on by:

Refers to:
  • 889: (Nobody) vast clock skew allows negative-life tickets [open]
Referred to by:
  • 7528: (tlyu) Fix spurious clock skew caused by gak_fct delay [resolved]
  • 7610: (tlyu) Fix spurious clock skew caused by gak_fct delay [resolved]
Created: Mon Jan 9 12:11:31 2012
Starts: Not set
Started: Not set
Last Contact: Not set
Due: Not set
Updated: Mon Nov 19 16:12:37 2012 by tlyu


 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

History   Display mode: [Brief headers] [Full headers]
      Mon Jan  9 12:11:31 2012  ghudson - Ticket created    
Subject: Prompter delay can cause spurious clock skew

When we make an AS request, by default we record the difference between
the system time and the reply's authtime in the context (in the
time_offset field of os_context).  This offset is recorded when a ccache
is created and restored when a ccache is loaded.

If gak_fct takes a long time (because the user took a long time to enter
the password), we incorrectly compute a large negative time offset.  To
fix this, we need to snapshot the system time when the reply is received,
before calling gak_fct, and use that snapshotted time after decrypting the

We can either do this by introducing a more sophisticated (perhaps
internal) API than krb5_set_real_time(), or we can just fudge the authtime
by the amount of time elapsed across the gak_fct call.

Download (untitled) 767b
      Wed Jan 11 16:20:11 2012  ghudson - Given to ghudson    
      Wed Jan 11 16:20:11 2012  ghudson - Status changed from open to review    
      Wed Jan 11 16:20:11 2012  ghudson - Correspondence added    
From: ghudson@mit.edu
Subject: SVN Commit

Fix spurious clock skew caused by gak_fct delay

In get_in_tkt.c, a time offset is computed between the KDC's auth_time
and the current system time after the reply is decrypted.  Time may
have elapsed between these events because of a gak_fct invocation
which blocks on user input.  The resulting spurious time offset can
cause subsequent TGS-REQs to fail and can also cause the end time of
the next AS request to be in the past (issue #889) in cases where the
old ccache is opened to find the default principal.

Use the system time, without offset, for the request time of an AS
request, for more predictable kinit behavior.  Use this request time,
rather than the current time, when computing the clock skew after the
reply is decrypted.

Commit By: ghudson
Revision: 25644
Changed Files:
U   trunk/src/lib/krb5/krb/get_in_tkt.c

Download (untitled) 885b
      Wed Jan 11 16:34:01 2012  ghudson - Comments added    
This is a very old bug, so the fix could reasonably be pulled up to any
previous release we support.  Releases prior to 1.8 will have a different
code structure in get_in_tkt.c, so would require more effort to backport
the patch.

Download (untitled) 233b
      Thu Mar 22 19:35:21 2012  tlyu - Ticket 7063 RefersTo ticket 889.    
      Mon Nov 19 16:09:53 2012  tlyu - Version_Fixed 1.11 added    
      Mon Nov 19 16:12:37 2012  tlyu - Status changed from review to resolved