krb5 commit: Remove port 750 from the KDC default ports
Greg Hudson
ghudson at mit.edu
Thu Mar 24 11:56:16 EDT 2016
https://github.com/krb5/krb5/commit/624476e0350cde6c37078a808c7b6bceb6046c53
commit 624476e0350cde6c37078a808c7b6bceb6046c53
Author: Sarah Day <sarahday at mit.edu>
Date: Thu Jan 14 13:11:21 2016 -0500
Remove port 750 from the KDC default ports
The KDC was still listening on port 750 despite the fact that
this functionality was supposed to have been removed in the
past. Remove port 750 from the list of UDP ports that the KDC
listens on. Also remove port 750 from the default ports that
the client connects to, and from example config fragments.
ticket: 8388 (new)
doc/admin/admin_commands/krb5kdc.rst | 2 +-
doc/admin/conf_files/krb5_conf.rst | 2 +-
doc/admin/install_kdc.rst | 2 +-
doc/mitK5defaults.rst | 1 -
src/config-files/kdc.conf | 4 +-
src/config-files/services.append | 20 ---------------
src/include/osconf.hin | 6 +----
src/lib/krb5/os/locate_kdc.c | 43 ++++++++++++----------------------
src/lib/krb5/os/sendto_kdc.c | 3 +-
src/lib/krb5/os/t_locate_kdc.c | 3 +-
src/lib/krb5/os/td_krb5.conf | 2 +-
src/man/krb5.conf.man | 2 +-
src/man/krb5kdc.man | 2 +-
src/util/profile/test.ini | 4 +-
14 files changed, 28 insertions(+), 68 deletions(-)
diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst
index 711159b..7ec4ee4 100644
--- a/doc/admin/admin_commands/krb5kdc.rst
+++ b/doc/admin/admin_commands/krb5kdc.rst
@@ -62,7 +62,7 @@ which the KDC should listen on for Kerberos version 5 requests, as a
comma-separated list. This value overrides the UDP port numbers
specified in the :ref:`kdcdefaults` section of :ref:`kdc.conf(5)`, but
may be overridden by realm-specific values. If no value is given from
-any source, the default ports are 88 and 750.
+any source, the default port is 88.
The **-w** *numworkers* option tells the KDC to fork *numworkers*
processes to listen to the KDC ports and process requests in parallel.
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 0f398a6..bf7d240 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -1130,7 +1130,7 @@ Here is an example of a generic krb5.conf file::
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
- kdc = kerberos-2.mit.edu:750
+ kdc = kerberos-2.mit.edu
admin_server = kerberos.mit.edu
master_kdc = kerberos.mit.edu
}
diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst
index af93899..1d8c4bc 100644
--- a/doc/admin/install_kdc.rst
+++ b/doc/admin/install_kdc.rst
@@ -108,7 +108,7 @@ and location, and logging.
An example kdc.conf file::
[kdcdefaults]
- kdc_ports = 88,750
+ kdc_ports = 88
[realms]
ATHENA.MIT.EDU = {
diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
index 838dabb..443bcc5 100644
--- a/doc/mitK5defaults.rst
+++ b/doc/mitK5defaults.rst
@@ -24,7 +24,6 @@ Master key default enctype |defmkey|
Default :ref:`keysalt list<Keysalt_lists>` |defkeysalts|
Permitted enctypes |defetypes|
KDC default port 88
-Second KDC default port 750
Admin server port 749
Password change port 464
========================================== ============================= ====================
diff --git a/src/config-files/kdc.conf b/src/config-files/kdc.conf
index b17f3aa..e7ef0f9 100644
--- a/src/config-files/kdc.conf
+++ b/src/config-files/kdc.conf
@@ -1,12 +1,12 @@
[kdcdefaults]
- kdc_ports = 750,88
+ kdc_ports = 88
[realms]
ATHENA.MIT.EDU = {
database_name = /usr/local/var/krb5kdc/principal
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU
- kdc_ports = 750,88
+ kdc_ports = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
diff --git a/src/config-files/services.append b/src/config-files/services.append
index bd1010f..a32fae6 100644
--- a/src/config-files/services.append
+++ b/src/config-files/services.append
@@ -1,25 +1,5 @@
-#
-# Note --- if you are using Kerberos V4 clients and you either (a)
-# haven't converted all your KDC's over to use V5, or (b) are worried
-# about inter-realm interoperability with other KDC's that are still
-# using V4, then you will have to switch the definition of kerberos and
-# kerberos-sec.
-#
-# The issue is that the official port assignement for the "kerberos"
-# port is port 88, yet the unofficial port that has been used for
-# Kerberos V4 is port 750. The V5 KDC will respond to requests made on
-# either port, and if V4 compatibility is turned on, it will respond to
-# V4 requests on either port as well.
-#
-#
-# Hence, it is safe to switch the definitions of kerberos and
-# kerberos-sec; both should be defined, though, and one should be port
-# 88 and one should be port 750.
-#
kerberos 88/udp kdc # Kerberos authentication--udp
kerberos 88/tcp kdc # Kerberos authentication--tcp
-kerberos-sec 750/udp # Kerberos authentication--udp
-kerberos-sec 750/tcp # Kerberos authentication--tcp
kerberos_master 751/udp # Kerberos authentication
kerberos_master 751/tcp # Kerberos authentication
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
diff --git a/src/include/osconf.hin b/src/include/osconf.hin
index 922d796..b2b355b 100644
--- a/src/include/osconf.hin
+++ b/src/include/osconf.hin
@@ -80,16 +80,12 @@
#define KDCRCACHE "dfl:krb5kdc_rcache"
#define KDC_PORTNAME "kerberos" /* for /etc/services or equiv. */
-#define KDC_SECONDARY_PORTNAME "kerberos-sec" /* For backwards */
-/* compatibility with */
-/* port 750 clients */
#define KRB5_DEFAULT_PORT 88
-#define KRB5_DEFAULT_SEC_PORT 750
#define DEFAULT_KPASSWD_PORT 464
-#define DEFAULT_KDC_UDP_PORTLIST "88,750"
+#define DEFAULT_KDC_UDP_PORTLIST "88"
#define DEFAULT_KDC_TCP_PORTLIST "88"
/*
diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
index 160a2d0..196b426 100644
--- a/src/lib/krb5/os/locate_kdc.c
+++ b/src/lib/krb5/os/locate_kdc.c
@@ -216,7 +216,7 @@ server_list_contains(struct serverlist *list, struct server_entry *server)
static krb5_error_code
locate_srv_conf_1(krb5_context context, const krb5_data *realm,
const char * name, struct serverlist *serverlist,
- k5_transport transport, int udpport, int sec_udpport)
+ k5_transport transport, int udpport)
{
const char *realm_srv_names[4];
char **hostlist, *host, *port, *cp;
@@ -224,7 +224,7 @@ locate_srv_conf_1(krb5_context context, const krb5_data *realm,
int i;
Tprintf ("looking in krb5.conf for realm %s entry %s; ports %d,%d\n",
- realm->data, name, ntohs (udpport), ntohs (sec_udpport));
+ realm->data, name, ntohs(udpport));
if ((host = malloc(realm->length + 1)) == NULL)
return ENOMEM;
@@ -250,7 +250,7 @@ locate_srv_conf_1(krb5_context context, const krb5_data *realm,
}
for (i=0; hostlist[i]; i++) {
- int p1, p2;
+ int port_num;
k5_transport this_transport = transport;
char *uri_path = NULL;
@@ -276,14 +276,11 @@ locate_srv_conf_1(krb5_context context, const krb5_data *realm,
/* L is unsigned, don't need to check <0. */
if (l > 65535)
return EINVAL;
- p1 = htons (l);
- p2 = 0;
+ port_num = htons(l);
} else if (this_transport == HTTPS) {
- p1 = htons(443);
- p2 = 0;
+ port_num = htons(443);
} else {
- p1 = udpport;
- p2 = sec_udpport;
+ port_num = udpport;
}
/* If the hostname was in brackets, strip those off now. */
@@ -292,15 +289,8 @@ locate_srv_conf_1(krb5_context context, const krb5_data *realm,
*cp = '\0';
}
- code = add_host_to_list(serverlist, host, p1, this_transport,
+ code = add_host_to_list(serverlist, host, port_num, this_transport,
AF_UNSPEC, uri_path);
- /* Second port is for IPv4 UDP only, and should possibly go away as
- * it was originally a krb4 compatibility measure. */
- if (code == 0 && p2 != 0 &&
- (this_transport == TCP_OR_UDP || this_transport == UDP)) {
- code = add_host_to_list(serverlist, host, p2, UDP, AF_INET,
- uri_path);
- }
if (code)
goto cleanup;
}
@@ -313,13 +303,11 @@ cleanup:
#ifdef TEST
static krb5_error_code
krb5_locate_srv_conf(krb5_context context, const krb5_data *realm,
- const char *name, struct serverlist *al, int udpport,
- int sec_udpport)
+ const char *name, struct serverlist *al, int udpport)
{
krb5_error_code ret;
- ret = locate_srv_conf_1(context, realm, name, al, TCP_OR_UDP, udpport,
- sec_udpport);
+ ret = locate_srv_conf_1(context, realm, name, al, TCP_OR_UDP, udpport);
if (ret)
return ret;
if (al->nservers == 0) /* Couldn't resolve any KDC names */
@@ -505,7 +493,7 @@ prof_locate_server(krb5_context context, const krb5_data *realm,
k5_transport transport)
{
const char *profname;
- int dflport1, dflport2 = 0;
+ int dflport = 0;
struct servent *serv;
switch (svc) {
@@ -515,31 +503,30 @@ prof_locate_server(krb5_context context, const krb5_data *realm,
have old, crufty, wrong settings that this is probably
better. */
kdc_ports:
- dflport1 = htons(KRB5_DEFAULT_PORT);
- dflport2 = htons(KRB5_DEFAULT_SEC_PORT);
+ dflport = htons(KRB5_DEFAULT_PORT);
break;
case locate_service_master_kdc:
profname = KRB5_CONF_MASTER_KDC;
goto kdc_ports;
case locate_service_kadmin:
profname = KRB5_CONF_ADMIN_SERVER;
- dflport1 = htons(DEFAULT_KADM5_PORT);
+ dflport = htons(DEFAULT_KADM5_PORT);
break;
case locate_service_krb524:
profname = KRB5_CONF_KRB524_SERVER;
serv = getservbyname("krb524", "udp");
- dflport1 = serv ? serv->s_port : htons(4444);
+ dflport = serv ? serv->s_port : htons(4444);
break;
case locate_service_kpasswd:
profname = KRB5_CONF_KPASSWD_SERVER;
- dflport1 = htons(DEFAULT_KPASSWD_PORT);
+ dflport = htons(DEFAULT_KPASSWD_PORT);
break;
default:
return EBUSY; /* XXX */
}
return locate_srv_conf_1(context, realm, profname, serverlist, transport,
- dflport1, dflport2);
+ dflport);
}
#ifdef KRB5_DNS_LOOKUP
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index a2bc591..952228c 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -1439,8 +1439,7 @@ service_fds(krb5_context context, struct select_state *selstate,
* If P=3, Total = 3*U + T + 14.
* If P=4, Total = 4*U + T + 30.
*
- * Note that if you try to reach two ports (e.g., both 88 and 750) on
- * one server, it counts as two.
+ * Note that if you try to reach two ports on one server, it counts as two.
*
* There is one exception to the above rules. Whenever a TCP connection is
* established, we wait up to ten seconds for it to finish or fail before
diff --git a/src/lib/krb5/os/t_locate_kdc.c b/src/lib/krb5/os/t_locate_kdc.c
index e986ae9..4bf9795 100644
--- a/src/lib/krb5/os/t_locate_kdc.c
+++ b/src/lib/krb5/os/t_locate_kdc.c
@@ -121,8 +121,7 @@ main (int argc, char *argv[])
switch (how) {
case LOOKUP_CONF:
- err = krb5_locate_srv_conf(ctx, &realm, "kdc", &sl,
- htons(88), htons(750));
+ err = krb5_locate_srv_conf(ctx, &realm, "kdc", &sl, htons(88));
break;
case LOOKUP_DNS:
diff --git a/src/lib/krb5/os/td_krb5.conf b/src/lib/krb5/os/td_krb5.conf
index cdee609..edf0353 100644
--- a/src/lib/krb5/os/td_krb5.conf
+++ b/src/lib/krb5/os/td_krb5.conf
@@ -3,7 +3,7 @@
[realms]
DEFAULT_REALM.TST = {
- kdc = FIRST.KDC.HOST:750
+ kdc = FIRST.KDC.HOST
kdc = SECOND.KDC.HOST:88
admin_server = FIRST.KDC.HOST
default_domain = MIT.EDU
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 65cc51c..a4b30e9 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1416,7 +1416,7 @@ Here is an example of a generic krb5.conf file:
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos\-1.mit.edu
- kdc = kerberos\-2.mit.edu:750
+ kdc = kerberos\-2.mit.edu
admin_server = kerberos.mit.edu
master_kdc = kerberos.mit.edu
}
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 663b2ec..505eff0 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -82,7 +82,7 @@ which the KDC should listen on for Kerberos version 5 requests, as a
comma\-separated list. This value overrides the UDP port numbers
specified in the \fIkdcdefaults\fP section of \fIkdc.conf(5)\fP, but
may be overridden by realm\-specific values. If no value is given from
-any source, the default ports are 88 and 750.
+any source, the default port is 88.
.sp
The \fB\-w\fP \fInumworkers\fP option tells the KDC to fork \fInumworkers\fP
processes to listen to the KDC ports and process requests in parallel.
diff --git a/src/util/profile/test.ini b/src/util/profile/test.ini
index c1c8830..23ca896 100644
--- a/src/util/profile/test.ini
+++ b/src/util/profile/test.ini
@@ -13,8 +13,8 @@ this is a comment. Everything up to the first square brace is ignored.
[realms]
ATHENA.MIT.EDU = {
server = KERBEROS.MIT.EDU:88
- server = KERBEROS1.MIT.EDU:750
- server = KERBEROS2.MIT.EDU:750
+ server = KERBEROS1.MIT.EDU
+ server = KERBEROS2.MIT.EDU
admin = KERBEROS.MIT.EDU
etype = DES-MD5
}
More information about the cvs-krb5
mailing list