unit of kdc_timeout

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

unit of kdc_timeout

Weijun Wang
Hi All

I am a member of Oracle's Java SE security team, and recently we found a bug about the inconsistency of the kdc_timeout setting between Java and other vendors. Java does not support specifying a unit and always treats the value as milliseconds. While the others support units and when no unit is given the value means seconds.

We are going to fix this bug by first supporting the "s" unit. To give a chance for old Java users to specify milliseconds, we plan to also support "ms". Do you think it's useful? i.e. Do customers have a requirement of setting the timeout to be less than one second? Of course, the most difficult thing we (Java) need to determine is what to do when there is no unit. I am thinking of a (v>120 ? ms: s) heuristics but it could be dangerous. I am not asking any other vendor to follow this style, but do you know how people are setting this value?

I do notice MIT's krb5 doc has no kdc_timeout at all. Maybe the algorithm does not care about it anymore?

Thanks
Max


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: unit of kdc_timeout

Henry B Hotz
I presume this is for parameters specified the "Java way", and you do the right thing when you're reading a krb5.conf file.

I can't personally think of anything where I would care about a sub-second value.  OTOH the standard timeout for kinit is 1 second so it seems possible someone else might.

On May 18, 2014, at 7:38 PM, Wang Weijun <[hidden email]> wrote:

> Hi All
>
> I am a member of Oracle's Java SE security team, and recently we found a bug about the inconsistency of the kdc_timeout setting between Java and other vendors. Java does not support specifying a unit and always treats the value as milliseconds. While the others support units and when no unit is given the value means seconds.
>
> We are going to fix this bug by first supporting the "s" unit. To give a chance for old Java users to specify milliseconds, we plan to also support "ms". Do you think it's useful? i.e. Do customers have a requirement of setting the timeout to be less than one second? Of course, the most difficult thing we (Java) need to determine is what to do when there is no unit. I am thinking of a (v>120 ? ms: s) heuristics but it could be dangerous. I am not asking any other vendor to follow this style, but do you know how people are setting this value?
>
> I do notice MIT's krb5 doc has no kdc_timeout at all. Maybe the algorithm does not care about it anymore?
>
> Thanks
> Max
>

Personal email.  [hidden email]



_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: unit of kdc_timeout

Love Hörnquist Åstrand
A sub second unit would be used. However we use time_t, so currently sub second time is not possible in Heimdal.

The default unit is seconds.

Skickat från min iPad

19 maj 2014 kl. 05:07 skrev "Henry B Hotz" <[hidden email]<mailto:[hidden email]>>:

I presume this is for parameters specified the "Java way", and you do the right thing when you're reading a krb5.conf file.

I can't personally think of anything where I would care about a sub-second value.  OTOH the standard timeout for kinit is 1 second so it seems possible someone else might.

On May 18, 2014, at 7:38 PM, Wang Weijun <[hidden email]<mailto:[hidden email]>> wrote:

Hi All

I am a member of Oracle's Java SE security team, and recently we found a bug about the inconsistency of the kdc_timeout setting between Java and other vendors. Java does not support specifying a unit and always treats the value as milliseconds. While the others support units and when no unit is given the value means seconds.

We are going to fix this bug by first supporting the "s" unit. To give a chance for old Java users to specify milliseconds, we plan to also support "ms". Do you think it's useful? i.e. Do customers have a requirement of setting the timeout to be less than one second? Of course, the most difficult thing we (Java) need to determine is what to do when there is no unit. I am thinking of a (v>120 ? ms: s) heuristics but it could be dangerous. I am not asking any other vendor to follow this style, but do you know how people are setting this value?

I do notice MIT's krb5 doc has no kdc_timeout at all. Maybe the algorithm does not care about it anymore?

Thanks
Max


Personal email.  [hidden email]<mailto:[hidden email]>



_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev