Security impact of removing timestamp check in rd_rep()

Luke Howard lukeh at
Sat May 14 08:08:41 GMT 2005

You actually want to check that they are different, to avoid replay

-- Luke

>From: Andrew Bartlett <abartlet at>
>Subject: Security impact of removing timestamp check in rd_rep()
>To: heimdal-discuss at
>Cc: samba-technical at
>Date: Sat, 14 May 2005 16:42:15 +1000
>I've been working on the DCE_STYLE GSSAPI code (mostly by metze) that
>Samba4 needs for the 'Kerberos domain join' problem, and I have solved
>the final piece of the puzzle.  
>It appears that the encrypted timestamp in the AP_REP (mutual
>authentication) packet, used in the '3rd leg' of the extended GSSAPI
>negotiation is not consistent with the other two timestamps in the
>exchange.  It appears simply to be the real time, on the client now, and
>so varies particularly in the usec field.
>So, what I'm wondering is how to still be secure, while removing the
>need for an exact timestamp match here.  
>To be clear about the packets I'm talking about, I have attached the #if
>0 patch I used.
>Andrew Bartlett
>Andrew Bartlett                      
>Authentication Developer, Samba Team 
>Student Network Administrator, Hawker College
>[Attachment: a1/krb5-fix-for-dce-style.patch, text/x-patch]
>[Attachment: signature.asc, application/pgp-signature]


More information about the samba-technical mailing list