Skip Menu |

Subject: git commit

Use preauth timestamp in PKINIT clpreauth module

Use the timestamp from the KDC's preauth-required error when
generating a PKAuthenticator in pa_pkinit_gen_req(), to allow PKINIT
authentication to succeed despite client clock skew if kdc_timesync is

Because this timestamp is unauthenticated (unless FAST is used), an
attacker could induce a legitimate client to generate a
PKAuthenticator for a future timestamp. But replaying this request in
the future would only cause the KDC to issue a ticket which the
attacker cannot decrypt.
Author: Greg Hudson <>
Commit: fcc1076541a3bd9a5fa4db0be6f74888b3f5f193
Branch: master
src/plugins/preauth/pkinit/pkinit_clnt.c | 12 +++++++-----
1 files changed, 7 insertions(+), 5 deletions(-)