diff options
| author | Sam Hartman <hartmans@mit.edu> | 2004-01-05 21:42:34 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2004-01-05 21:42:34 +0000 |
| commit | 87128182b464b26c6a14fbde5f44eda82b57163a (patch) | |
| tree | b8638f874d82cbe20c4c70a1558b02c0c8c5db15 | |
| parent | b32122b9363c37c3460d5fabd074617030c4107d (diff) | |
| download | krb5-87128182b464b26c6a14fbde5f44eda82b57163a.tar.gz krb5-87128182b464b26c6a14fbde5f44eda82b57163a.tar.xz krb5-87128182b464b26c6a14fbde5f44eda82b57163a.zip | |
Only backdate the ticket that is created. The KDC reply must contain
the time from the client's request or the client will fail its
clockskew check if the request is backdated too far.
Ticket: 2058
Target_Version: 1.3.2
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15965 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kdc/ChangeLog | 6 | ||||
| -rw-r--r-- | src/kdc/kerberos_v4.c | 9 |
2 files changed, 10 insertions, 5 deletions
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 95ab689870..04af11ea75 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,9 @@ +2004-01-05 Sam Hartman <hartmans@mit.edu> + + * kerberos_v4.c (kerberos_v4): Only backdate the rquest in the + issued ticket. Client libraries tend to verify that the + backdating falls within clockskew. a + 2003-08-29 Ken Raeburn <raeburn@mit.edu> * configure.in: Call KRB5_AC_NEED_DAEMON instead of checking diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c index 01359792f5..1d1ca702eb 100644 --- a/src/kdc/kerberos_v4.c +++ b/src/kdc/kerberos_v4.c @@ -673,10 +673,9 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) case AUTH_MSG_KDC_REQUEST: { -#ifdef notdef - u_long time_ws; /* Workstation time */ -#endif int req_life; /* Requested liftime */ + unsigned int request_backdate = 0; /*How far to backdate + in seconds.*/ char *service; /* Service name */ char *instance; /* Service instance */ #ifdef notdef @@ -749,7 +748,7 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) * kerb_time, which is potentially problematic. */ if (v4endtime > v4req_end) - kerb_time.tv_sec -= v4endtime - v4req_end; + request_backdate = v4endtime - v4req_end; #ifdef NOENCRYPTION memset(session_key, 0, sizeof(C_Block)); @@ -770,7 +769,7 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) krb_create_ticket(tk, k_flags, a_name_data.name, a_name_data.instance, local_realm, client_host.s_addr, (char *) session_key, - lifetime, kerb_time.tv_sec, + lifetime, kerb_time.tv_sec - request_backdate, s_name_data.name, s_name_data.instance, key); |