North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: Question on Loosely Synchronized Router Clocks
> Kerberos does not assume clock synchronization. > Kerberos requires reasonable clock synchronization. To be more precise, Kerberos requires those systems for which it is providing (authentication) services to agree, within a configured (usually) 5-10 minutes. There is no requirement that those systems have to agree with anything else outside of their realm. If a particular set of servers all agree that it is currently Jan 10th, 1980, at 0913, Kerberos can be fine with that. Of course, usually, NTP (or something like that) is used to keep all the servers "near" UTC, but keeping clocks at UTC is not a Kerberos requirement. > And, as near as I can tell, clock synchronization is not part > of the Kerberos protocol. It is not, but note that some localized distributions of Kerberos clients did, indeed, ship with various time synchronization tools before they were common on platforms such as Windows and Mac, so some users may have thought that installing Kerberos meant they got clock synchronization.