[28382] in Kerberos
Re: recent kadmin vulnernability and changing passwords
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Thu Sep 6 14:38:08 2007
Date: Thu, 6 Sep 2007 13:37:15 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: "Edgecombe, Jason" <jwedgeco@uncc.edu>
Message-ID: <20070906183714.GB22618@Sun.COM>
Mail-Followup-To: "Edgecombe, Jason" <jwedgeco@uncc.edu>,
kerberos@mit.edu
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <A01ABA2A211C644596549C5FF91C50E417CB3152@EXEVS02.its.uncc.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Sep 06, 2007 at 08:55:47AM -0400, Edgecombe, Jason wrote:
> Hi All,
> Does kpasswd use the kadmin protocol? I'm just looking at options for
> mitigating the vulnerability.
The Solaris kpasswd will use either the kadmin password or the kpasswd
protocol. I don't recall if the same is true for the MIT kpasswd.
But both protocols are served by the same kadmind binary. To mitigate
the issue you can setup a packet filter that blocks connections to the
kadmin port.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos