KDC timeout for MIT Kerberos?

[Russ Allbery]

A user of my Kerberos PAM module asked whether there was a way to adjust
the timeout when talking to the KDC. The use case is a laptop that may
have a dodgy VPN and thus think it's on the Internet but not be able to
reach the KDC.

https://github.com/rra/pam-krb5/issues/22

My understanding is that Heimdal supports the kdc_timeout configuration
option in krb5.conf, but I don't see an equivalent for MIT Kerberos. Is
there any way for the application or for the user to control how long it
takes for the library to decide that it's not going to get a reply from
the KDC and fail the krb5_get_init_creds_password attempt?

--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>

[Greg Hudson]

On 2/9/22 12:49 PM, Russ Allbery wrote:
> My understanding is that Heimdal supports the kdc_timeout configuration
> option in krb5.conf, but I don't see an equivalent for MIT Kerberos. Is
> there any way for the application or for the user to control how long it
> takes for the library to decide that it's not going to get a reply from
> the KDC and fail the krb5_get_init_creds_password attempt?

There's no configuration setting. An application can install a send
hook (krb5_set_kdc_send_hook()), but that would require reimplementing a
lot of logic just to change the timeout.