1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • KDC timeout for MIT Kerberos?

    From Russ Allbery@21:1/5 to All on Wed Feb 9 09:49:32 2022
    A user of my Kerberos PAM module asked whether there was a way to adjust
    the timeout when talking to the KDC. The use case is a laptop that may
    have a dodgy VPN and thus think it's on the Internet but not be able to
    reach the KDC.

    https://github.com/rra/pam-krb5/issues/22

    My understanding is that Heimdal supports the kdc_timeout configuration
    option in krb5.conf, but I don't see an equivalent for MIT Kerberos. Is
    there any way for the application or for the user to control how long it
    takes for the library to decide that it's not going to get a reply from
    the KDC and fail the krb5_get_init_creds_password attempt?

    --
    Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Hudson@21:1/5 to Russ Allbery on Thu Feb 10 00:47:54 2022
    To: kerberos@mit.edu

    On 2/9/22 12:49 PM, Russ Allbery wrote:
    My understanding is that Heimdal supports the kdc_timeout configuration option in krb5.conf, but I don't see an equivalent for MIT Kerberos. Is there any way for the application or for the user to control how long it takes for the library to decide that it's not going to get a reply from
    the KDC and fail the krb5_get_init_creds_password attempt?

    There's no configuration setting. An application can install a send
    hook (krb5_set_kdc_send_hook()), but that would require reimplementing a
    lot of logic just to change the timeout.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)