[2786] in Kerberos
Re: Kerberos Well known socket numbers
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Mon Aug 23 14:49:05 1993
Date: Mon, 23 Aug 93 14:32:27 EDT
From: tytso@Athena.MIT.EDU (Theodore Ts'o)
To: "Seema Goel" <seema@bnr.ca>
Cc: kerberos@Athena.MIT.EDU
In-Reply-To: Seema (S.) Goel's message of Mon, 23 Aug 1993 13:09:00 +0000 ,
Date: Mon, 23 Aug 1993 13:09:00 +0000
From: "Seema (S.) Goel" <seema@bnr.ca>
Is port number 750 hardcoded in the Kerberos software or does it
do getservbyname for the 'kerberos' service?
It does a getservbyname for "kerberos"
The reason why I am asking this is because in our company we
already have Kerberos Version 4 running with port number 750.
I want to install version 5 now.
What will be the impact (on the older verions of Kerberos) of
changing the 'kerberos' service port number from 750 to 88 and
the 'kerberos-master' service port number from 751 to 749?
The Kerberos V5 code is set up to automatically handle the transition
between port 750 and port 88. Simply make port 88 be "kerberos" in
/etc/services, and port 750 be "kerberos-sec". (Or, if your site is
primarily V4, then switch the two around.) The Kerberos KDC will listen
on both ports, and handle Kerberos packets on both. If you have the V4
backwards compatibility option compiled it, it will handle both Kerberos
V4 and V5 requests.
As far as the "kerberos-master" service, that is currently incompatible
between version 4 and version 5. (I'd like to look at making the admin
server handle both protocols, but that is a back-burner project.)
So the fact that the officially assigned port is 749 instead of 751
won't matter much, since the V5 and V4 admin protocols currently aren't
compatible. (And probably won't be; but what might happen in the future
is that the V5 admin server would be extended to also be able to handle
V4 admin requests.)
And if I change the port numbers, what is the correct procedure?
In what sequence should the services, servers and clients be
modified/restarted/rebooted?
The Kerberos V5 KDC is designed to allow for smooth transition between
port 750 and port 88. You can just install the V5 KDC, and it will
handle both V5 and V4 requests, on both port 750 and port 88. However,
because the backwards compatibility for the admin server isn't quite
there yet, that cutover allow make things not go so smoothly --- at
least for the password changing and administrative programs. Unless
you're willing to develop (or wait for us to develop) the necessary
compatibility code, you'll have to do a flag day cutover of the kadmin,
kadmind, and kpasswd programs. But at least you won't need to worry
about doing the same for all of your Kerberos application programs.
- Ted
