Clock Skew :
In order to prevent intruders from resetting their system clocks in order to continue to use expired tickets, Kerberos V5 is set up to reject ticket requests from any host whose clock is not within the specified maximum clock skew of the KDC (as specified in the kdc.conf file). The default value for maximum clock skew is 300 seconds, or five minutes
Service Ticket lifetime :
Value = 0 here means never expires.
Now Say I have a kerberos service ticket that never expires, or at least does not expire for an hour and I have not tampered with the default clock skew value. The questions I have are :
- If I (the client) get a service ticket from KDC now and present it to the service say after 30 mins, will my authentication succeed?
- What logic is used to determine a clock skew ?
- If a ticket with a lifetime = 1 hr or more is presented to the server at the 6th minute ( after being obtained from KDC ), how does the server determine if it is clock skew or just a delayed delivery ?
Note : These questions are part of a larger problem I'm currently trying to solve related to functional testing for validation of kerberos ticket. link