Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) From: ghudson@mit.edu Subject: SVN Commit RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 856 Allow preauth mechs to work with clock skew Add a clpreauth callback which gets the time of day using an offset determined by the preauth-required error, and use it in encrypted timestamp and encrypted challenge. This timestamp is not necessarily authenticated, but the security consequences for those preauth mechs are minor (and can be mitigated by turning off kdc_timesync on clients). Based on a patch from Stef Walter. https://github.com/krb5/krb5/commit/5f39a4438eafd693a3eb8366bbc3901efe62e538 Commit By: ghudson Revision: 25808 Changed Files: U trunk/src/include/k5-int.h U trunk/src/include/krb5/preauth_plugin.h U trunk/src/lib/krb5/krb/get_in_tkt.c U trunk/src/lib/krb5/krb/preauth2.c U trunk/src/lib/krb5/krb/preauth_ec.c U trunk/src/lib/krb5/krb/preauth_encts.c U trunk/src/lib/krb5/os/ustime.c U trunk/src/tests/t_skew.py