Skip Menu |

Subject: gss_accept_sec_context doesn't allow for clock skew
Date: Mon, 30 Jul 2012 13:26:53 -0700
From: Arlene Berry <>
To: <>

Kg_accept_krb5 in src/lib/gssapi/krb5/accept_sec_context.c doesn’t allow for clock skew when checking the context end time (line 983) which RFC 4120 section 3.2.3 “Receipt of KRB5_AP_REQ Message” states should be done and we’ve seen failures because of it.  Our current patch just adds the skew to the end time at about line 952 but I’m not certain whether that’s the best solution.  It’s not sufficient to include the skew when checking the end time because the calculation of time_rec also needs to take it into account so as not to have a negative result.  Kg_accept_dce has the same issue.