[28383] in Kerberos

home help back first fref pref prev next nref lref last post

RE: recent kadmin vulnernability and changing passwords

daemon@ATHENA.MIT.EDU (Edgecombe, Jason)
Thu Sep 6 15:19:42 2007

Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 6 Sep 2007 15:16:07 -0400
Message-ID: <A01ABA2A211C644596549C5FF91C50E417CB32EB@EXEVS02.its.uncc.edu>
In-Reply-To: <20070906183714.GB22618@Sun.COM>
From: "Edgecombe, Jason" <jwedgeco@uncc.edu>
To: "Nicolas Williams" <Nicolas.Williams@sun.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Thanks.

I was wondering how blocking the port would affect password changes. It
looks like it would block all password changes unless I white-list all
of our machines.

Thanks,
Jason

Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
UNC-Charlotte
Phone: (704) 687-3514
 

-----Original Message-----
From: Nicolas Williams [mailto:Nicolas.Williams@sun.com] 
Sent: Thursday, September 06, 2007 2:37 PM
To: Edgecombe, Jason
Cc: kerberos@mit.edu
Subject: Re: recent kadmin vulnernability and changing passwords

On Thu, Sep 06, 2007 at 08:55:47AM -0400, Edgecombe, Jason wrote:
> Hi All,
> Does kpasswd use the kadmin protocol? I'm just looking at options for
> mitigating the vulnerability.

The Solaris kpasswd will use either the kadmin password or the kpasswd
protocol.  I don't recall if the same is true for the MIT kpasswd.

But both protocols are served by the same kadmind binary.  To mitigate
the issue you can setup a packet filter that blocks connections to the
kadmin port.

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post