Received: from acsrs3.bu.edu (acsrs3.bu.edu [128.197.159.39]) by krbdev.mit.edu (8.12.9) with ESMTP id m2PIfkHW004868; Tue, 25 Mar 2008 14:41:46 -0400 (EDT)
Received: from localhost (nik@localhost) by acsrs3.bu.edu (8.13.6/BU_Server-1.3) with ESMTP id m2PIfkif192390 for <rt@krbdev.mit.edu>; Tue, 25 Mar 2008 14:41:46 -0400
Date: Tue, 25 Mar 2008 14:41:46 -0400 (EDT)
From: Nik Conwell <nik@bu.edu>
To: krb5 <rt@krbdev.mit.edu>
Subject: [krbdev.mit.edu #5924] Non-unique microseconds in TGS_REQ authenticator causing KRB5KRB_AP_ERR_REPEAT Request is a replay 
In-Reply-To: <rt-5924-26225.19.1455233705673@krbdev.mit.edu>
Message-ID: <Pine.A41.4.63.0803251433340.98766@acsrs3.bu.edu>
References: <rt-5924-26225.19.1455233705673@krbdev.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
RT-Send-Cc: 
X-RT-Original-Encoding: us-ascii
Content-Length: 1568


[Looks like the RT gateway sent only the last attachment to the list and not the 
first (interesting one) and the actual message.  All the info is in the ticket; 
I thought I'd send this to the list for reference.]

I have a short running yet frequently run app that gets a TGT with a
keytab and then does a TGS request.  From time to time the TGS_REQ is
denied with KRB5KRB_AP_ERR_REPEAT "Request is a replay".

Turns out that as part of the TGT request, get_in_tkt.c
verify_as_reply() calls krb5_set_real_time() to account for the time
offset between client and server.  Since only seconds come from the
server it is called with microseconds of 0 which effectively sets the
microseconds in the client to 0.  (Effectively since these values are
offsets that the client library applies to the real system time.)

Since the app code between the AS_REQ and TGS_REQ is the same from
invocation to invocation, the time between them is often the same, and
so if there are multiple invocations in the same second (frequently
run app), the time in the authenticator (seconds and microseconds) is
occasionally the same, running afoul of the replay detection on the
KDC.

As a workaround, the krb5.conf can have:

[libdefaults]
   kdc_timesync = 0

but that disables all time synchronization which is not desirable.

Attached are 2 patches.  One to leave the microseconds unchanged, and one 
debugging hack to see the time values in the authenticator.

[Patches are in the RT ticket krbdev.mit.edu #5924.]

-nik
Nik Conwell
nik@bu.edu
Boston University Information Technology