Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 1.19. What is preauthentication? Next Document: 1.21. What vendors support Kerberos? See reader questions & answers on this topic! - Help others by sharing your knowledge The actual verification of a client's identity is done by validating an authenticator. The authenticator contains the client's identity and a timestamp. To insure that the authenticator is up-to-date and is not an old one that has been captured by an attacker, the timestamp in the authenticator is checked against the current time. If the timestamp is not close enough to the current time (typically within five minutes) then the authenticator is rejected as invalid. Thus, Kerberos requires your system clocks to be loosely synchronized (the default is 5 minutes, but it can be adjusted in Version 5 to be whatever you want). The paper: * Don Davis, Daniel Geer, and Theodore Ts'o, "Kerberos With Clocks Adrift: History, Protocols, and Implementation" <http://world.std.com/~dtd/synch/synch.ps> explains a way for Kerberos principals to securely determine the time without having to rely on a external time source. This is implemented for clients only in the Kerberos 5 release. With this in place, clients do not need to synchronize their system clocks to use Kerberos; however, application servers need to. Note that it is possible to use the above technique for application servers as well as clients; it is just not currently implemented that way. User Contributions:Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 1.19. What is preauthentication? Next Document: 1.21. What vendors support Kerberos? Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: