Use of clock_skew option on Client side krb5.conf file - Kerberos

This is a discussion on Use of clock_skew option on Client side krb5.conf file - Kerberos ; Hi all, I have a query regaqrding specifying the clock_skew in the client side ( kerberos client) krb5.conf file. As I understand, the maximum allowable time skew is determined by KDC. Please let me know whether my understanding is correct. ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Use of clock_skew option on Client side krb5.conf file

  1. Use of clock_skew option on Client side krb5.conf file

    Hi all,

    I have a query regaqrding specifying the clock_skew in the client side
    ( kerberos client) krb5.conf file. As I understand, the maximum
    allowable time skew is determined by KDC. Please let me know whether my
    understanding is correct.

    I want to understand the use of specifying the clock_skew in the client
    side krb5.conf file. For example on KDC krb5.conf file, the maximum
    allowable clock skew is say 600 seconds. On the client krb5.conf file I
    specify clock_skew = 1200 seconds. What will be the effect ? Will KDC
    accept the request if time difference is greater than 600 but with in
    1200 ?

    Could you please explain?

    - Sandy.


  2. Re: Use of clock_skew option on Client side krb5.conf file



    On Monday, July 10, 2006 12:06:12 AM -0700 sandypossible@gmail.com wrote:

    > Hi all,
    >
    > I have a query regaqrding specifying the clock_skew in the client side
    > ( kerberos client) krb5.conf file. As I understand, the maximum
    > allowable time skew is determined by KDC. Please let me know whether my
    > understanding is correct.
    >
    > I want to understand the use of specifying the clock_skew in the client
    > side krb5.conf file. For example on KDC krb5.conf file, the maximum
    > allowable clock skew is say 600 seconds. On the client krb5.conf file I
    > specify clock_skew = 1200 seconds. What will be the effect ? Will KDC
    > accept the request if time difference is greater than 600 but with in
    > 1200 ?
    >
    > Could you please explain?


    The KDC determines the amount of skew acceptable between the time the
    client _uses_ and the actual time on the KDC. Similarly, each Kerberos
    application service determines the amount of skew acceptable between the
    time the client uses and the actual time on the machine providing the
    service. I beliece the clock_skew value in krb5.conf actually controls the
    latter value - that is, it affects application servers, not clients.


    RFC4120 describes a way to allow clients to operate with a clock that does
    not agree with the KDC, as long as the client's clock is running at more or
    less the correct _rate_, and as long as the clocks on the KDC and
    application servers are sufficiently close. Many Kerberos implementations
    support this technique, and will apply it automatically when needed.

    -- Jeffrey T. Hutzelman (N3NHS)
    Sr. Research Systems Programmer
    School of Computer Science - Research Computing Facility
    Carnegie Mellon University - Pittsburgh, PA

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread