Allow preauth mechs to work with clock skew

Add a clpreauth callback which gets the time of day using an offset
determined by the preauth-required error, and use it in encrypted
timestamp and encrypted challenge.  This timestamp is not necessarily
authenticated, but the security consequences for those preauth mechs
are minor (and can be mitigated by turning off kdc_timesync on
clients).

Based on a patch from Stef Walter.

ticket: 7114

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25808 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 9 insertions, 3 deletions

diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py
index f00c2f920..f831035ac 100644
--- a/src/tests/t_skew.py
+++ b/src/tests/t_skew.py
@@ -13,9 +13,13 @@ realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
 realm.run_as_client([kvno, realm.host_princ])
 realm.run_as_client([kdestroy])
 
-# kinit (with preauth) should fail.
+# kinit (with preauth) should work, with or without FAST.
 realm.run_kadminl('modprinc +requires_preauth user')
-realm.kinit(realm.user_princ, password('user'), expected_code=1)
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ])
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
+realm.run_as_client([kvno, realm.host_princ])
+realm.run_as_client([kdestroy])
 
 realm.stop()
 
@@ -31,8 +35,10 @@ realm.run_as_client([kvno, realm.host_princ], expected_code=1)
 realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache],
             expected_code=1)
 
-# kinit (with preauth) should fail.
+# kinit (with preauth) should fail, with or without FAST.
 realm.run_kadminl('modprinc +requires_preauth user')
 realm.kinit(realm.user_princ, password('user'), expected_code=1)
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache],
+            expected_code=1)
 
 success('Clock skew tests')