[Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining the domain
Alexander Bokovoy
abokovoy at redhat.com
Thu Oct 6 04:30:14 UTC 2011
On Wed, 05 Oct 2011, Dmitri Pal wrote:
> >> At least, according to IETF draft on OTP preauth with kerberos,
> >> http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4
> >> client has to submit next key if clocks have drifted which implies you
> >> cannot re-use the same OTP next time. To me this looks like in OTP
> >> case clocks synchronization is very important. In our OTP case it does
> >> not matter except for an artificial delay...
> >
> > This is not Kerberos OTP, it does an LDAP simple bind.
>
>
> It is more like a "nonce", it is not an OTP that can be generated based
> on some hardware or software token.
> The Kerberos OTP draft is about those OTPs we are not. We are literally
> One Time Password.
Does it also mean if clocks were skewed, you would not have next
chance to use the same password again? If that's the case, it is
better to wait a second or three for time sync.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list