Kerberos Service Ticket Lifetime vs clock skew

社会主义新天地 提交于 2019-12-11 15:17:35

问题


Clock Skew :

In order to prevent intruders from resetting their system clocks in order to continue to use expired tickets, Kerberos V5 is set up to reject ticket requests from any host whose clock is not within the specified maximum clock skew of the KDC (as specified in the kdc.conf file). The default value for maximum clock skew is 300 seconds, or five minutes

link

Service Ticket lifetime :

Value = 0 here means never expires.


Now Say I have a kerberos service ticket that never expires, or at least does not expire for an hour and I have not tampered with the default clock skew value. The questions I have are :

  1. If I (the client) get a service ticket from KDC now and present it to the service say after 30 mins, will my authentication succeed?
  2. What logic is used to determine a clock skew ?
  3. If a ticket with a lifetime = 1 hr or more is presented to the server at the 6th minute ( after being obtained from KDC ), how does the server determine if it is clock skew or just a delayed delivery ?

Note : These questions are part of a larger problem I'm currently trying to solve related to functional testing for validation of kerberos ticket. link

来源:https://stackoverflow.com/questions/56404515/kerberos-service-ticket-lifetime-vs-clock-skew

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!