United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-7077172 KerberosTime does not take into account system clock adjustement
JDK-7077172 : KerberosTime does not take into account system clock adjustement

Details
Type:
Bug
Submit Date:
2011-08-10
Status:
Closed
Updated Date:
2012-09-11
Project Name:
JDK
Resolved Date:
2012-09-11
Component:
security-libs
OS:
linux
Sub-Component:
org.ietf.jgss:krb5
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
7
Fixed Versions:

Related Reports
Backport:
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
7

A DESCRIPTION OF THE PROBLEM :
Context
-----------
In the Kerberos procotol, current client timestamp is encapsulated in the Kerberos query sent to the KDC to obtain a TGT. The timestamp in the query must be accurate (The KDC timestamp  accepts 5mn deviation in most case); if not the KDC return a "Clock too skew" error.

Problem
------------
  To obtain the current Timestamp, previously in the JDK 6, the 'KerberosTime' 'setNow()' method  instanciates a 'new Date()' object . A JDK 7 bug fix (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6882687) introduces a major change in this class. The current timestamp is evaluated using the time elapsed since the JVM startup (use of System.nanoTime()).
This implementation totally misses the fact that both client and server generally use a time server (NTP) to synchronize their clocks. Clock adjustement is not taking into account in the current implementation while the previous implementation does.

REGRESSION.  Last worked in version 6u26

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Develop a small Java client application that queries a KDC to obtain TGT each minutes. (Both client and KDC are hosted on the same machine)
2. Run the Java application.
3. Set the system clock and add 15 minutes to the current time

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The KDC continues to deliver client TGT using the new time
ACTUAL -
The KDC returns an error 'Clock skew too great'

ERROR MESSAGES/STACK TRACES THAT OCCUR :
The Java application thrown an Exception javax.security.auth.login.LoginException: Clock skew too great (37) - PREAUTH_FAILED

REPRODUCIBILITY :
This bug can be reproduced always.

                                    

Comments
EVALUATION

Add a time check, if calculated time and the clock time has a difference of more than 100ms, adjust to the clock time.
                                     
2011-11-18
EVALUATION

http://hg.openjdk.java.net/jdk8/tl/jdk/rev/5bfff9616b86
                                     
2011-11-18
EVALUATION

In order to verify the fix, you need to manually adjust the system clock during the execution of a program. This seems quite impossible in an automatic test. Noreg-hard added.
                                     
2012-05-09



Hardware and Software, Engineered to Work Together