Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 1.20. Why do I need to synchronize my system clocks to run Kerberos?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Neighborhoods ]


Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.19. What is preauthentication?
Next Document: 1.21. What vendors support Kerberos?
See reader questions & answers on this topic! - Help others by sharing your knowledge

The actual verification of a client's identity is done by validating an
authenticator. The authenticator contains the client's identity and a
timestamp.

To insure that the authenticator is up-to-date and is not an old one that
has been captured by an attacker, the timestamp in the authenticator is
checked against the current time. If the timestamp is not close enough to
the current time (typically within five minutes) then the authenticator is
rejected as invalid. Thus, Kerberos requires your system clocks to be
loosely synchronized (the default is 5 minutes, but it can be adjusted in
Version 5 to be whatever you want).

The paper:

   * Don Davis, Daniel Geer, and Theodore Ts'o, "Kerberos With Clocks
     Adrift: History, Protocols, and Implementation"
     <http://world.std.com/~dtd/synch/synch.ps>

explains a way for Kerberos principals to securely determine the time
without having to rely on a external time source. This is implemented for
clients only in the Kerberos 5 release. With this in place, clients do not
need to synchronize their system clocks to use Kerberos; however,
application servers need to.

Note that it is possible to use the above technique for application servers
as well as clients; it is just not currently implemented that way.

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.19. What is preauthentication?
Next Document: 1.21. What vendors support Kerberos?

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
Ken Hornstein <kenh@cmf.nrl.navy.mil>





Last Update March 27 2014 @ 02:11 PM