Question on Loosely Synchronized Router Clocks

Buhrmaster, Gary gtb at slac.stanford.edu
Thu Sep 20 22:51:31 UTC 2007


> Kerberos does not assume clock synchronization.
> Kerberos requires reasonable clock synchronization.

To be more precise, Kerberos requires those systems
for which it is providing (authentication) services
to agree, within a configured (usually) 5-10 minutes.
There is no requirement that those systems have to
agree with anything else outside of their realm.  
If a particular set of servers all agree that it is
currently Jan 10th, 1980, at 0913, Kerberos can be
fine with that.

Of course, usually, NTP (or something like that) is
used to keep all the servers "near" UTC, but keeping
clocks at UTC is not a Kerberos requirement.

> And, as near as I can tell, clock synchronization is not part 
> of the Kerberos protocol.

It is not, but note that some localized distributions
of Kerberos clients did, indeed, ship with various time
synchronization tools before they were common on
platforms such as Windows and Mac, so some users may
have thought that installing Kerberos meant they got
clock synchronization.



More information about the NANOG mailing list