[28384] in Kerberos
Re: recent kadmin vulnernability and changing passwords
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu Sep 6 15:24:13 2007
To: "Edgecombe, Jason" <jwedgeco@uncc.edu>
From: Tom Yu <tlyu@mit.edu>
Date: Thu, 06 Sep 2007 15:23:50 -0400
In-Reply-To: <A01ABA2A211C644596549C5FF91C50E417CB32EB@EXEVS02.its.uncc.edu>
(Jason Edgecombe's message of "Thu, 6 Sep 2007 15:16:07 -0400")
Message-ID: <ldvfy1rpph5.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: Nicolas Williams <nicolas.williams@sun.com>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>>>>> "Jason" == Edgecombe, Jason <jwedgeco@uncc.edu> writes:
Jason> Thanks.
Jason> I was wondering how blocking the port would affect password changes. It
Jason> looks like it would block all password changes unless I white-list all
Jason> of our machines.
The kpasswd port and the kadmin port are different. If you block the
kadmin port but not the kpasswd port, you will only prevent password
changes from clients that attempt to use the kadmin protocol to change
the password, and not the ones that use the kpasswd protocol. The
kpasswd client shipped with MIT krb5 uses the kpasswd protocol to
change passwords.
---Tom
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos