I am a member of Oracle's Java SE security team, and recently we found a bug about the inconsistency of the kdc_timeout setting between Java and other vendors. Java does not support specifying a unit and always treats the value as milliseconds. While the others support units and when no unit is given the value means seconds.
We are going to fix this bug by first supporting the "s" unit. To give a chance for old Java users to specify milliseconds, we plan to also support "ms". Do you think it's useful? i.e. Do customers have a requirement of setting the timeout to be less than one second? Of course, the most difficult thing we (Java) need to determine is what to do when there is no unit. I am thinking of a (v>120 ? ms: s) heuristics but it could be dangerous. I am not asking any other vendor to follow this style, but do you know how people are setting this value?
I do notice MIT's krb5 doc has no kdc_timeout at all. Maybe the algorithm does not care about it anymore?
On 05/18/2014 10:36 PM, Wang Weijun wrote:
> I do notice MIT's krb5 doc has no kdc_timeout at all.
MIT krb5's sendto_kdc timeouts are all hardcoded and, as far as I can
tell, they always have been. Way back in 1.2, there were some global
variables which a sufficiently dodgy application could set, but there
still doesn't seem to have been a public interface for changing them.