North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Question on Loosely Synchronized Router Clocks

  • From: Brandon Galbraith
  • Date: Thu Sep 20 15:55:47 2007
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=RgbH8JT2IWrjMzUUl1DgX8mEvJKhnOANZBipsMwCDKw=; b=QSNCs/H1+ezZGA/xd+0ZdNCclKsDbWxutBackK+GPAd2uESigd7PIZejKz9TaJzFHUBYqoJ/M3CPQ8ntmsR3ajapedgj2jPvUOJlopFcntbzcDbfPVeSCBznJMLPCnzjSDutoY9lhTA34+mPEcOfnD0P8/5BOcVlxzFrnnkVlwQ=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=RibeCi6SOd+NuImqZz6HSf408HIbMU7TXBedkTpvZWRxUlPMAgnXfiDmQq2dOTUms8hdGcEj2We9WpRdDNuy9L2yscInxaTR/hEh/MDzEk9RyoW3rKdxaoyQSiwtgbjhzVwuRziZkodQuKKMvD7BDoP3BkL8U9nhWQ1sUw3wD0Y=

On 9/20/07, James R. Cutler <[email protected]> wrote:
Kerberos does not assume clock synchronization.
Kerberos requires reasonable clock synchronization.
And, as near as I can tell, clock synchronization is not part of the Kerberos protocol.

Kick me if I err in this.


"Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have time availability period and, if the host clock is not synchronized with the clock of Kerberos server, the authentication will fail. The default configuration requires that clock times are no more than 10 minutes apart. In practice, NTP daemons are usually employed to keep the host clocks synchronized."