[Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining the domain
Rob Crittenden
rcritten at redhat.com
Thu Oct 6 04:38:16 UTC 2011
Alexander Bokovoy wrote:
> On Wed, 05 Oct 2011, Dmitri Pal wrote:
>>>> At least, according to IETF draft on OTP preauth with kerberos,
>>>> http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4
>>>> client has to submit next key if clocks have drifted which implies you
>>>> cannot re-use the same OTP next time. To me this looks like in OTP
>>>> case clocks synchronization is very important. In our OTP case it does
>>>> not matter except for an artificial delay...
>>>
>>> This is not Kerberos OTP, it does an LDAP simple bind.
>>
>>
>> It is more like a "nonce", it is not an OTP that can be generated based
>> on some hardware or software token.
>> The Kerberos OTP draft is about those OTPs we are not. We are literally
>> One Time Password.
> Does it also mean if clocks were skewed, you would not have next
> chance to use the same password again? If that's the case, it is
> better to wait a second or three for time sync.
The password is deleted on the bind, it isn't time sensitive. I'm fine
with any potential delay since the message is printed.
rob
More information about the Freeipa-devel
mailing list