recent kadmin vulnernability and changing passwords

Tom Yu tlyu at MIT.EDU
Thu Sep 6 15:23:50 EDT 2007


>>>>> "Jason" == Edgecombe, Jason <jwedgeco at uncc.edu> writes:

Jason> Thanks.
Jason> I was wondering how blocking the port would affect password changes. It
Jason> looks like it would block all password changes unless I white-list all
Jason> of our machines.

The kpasswd port and the kadmin port are different.  If you block the
kadmin port but not the kpasswd port, you will only prevent password
changes from clients that attempt to use the kadmin protocol to change
the password, and not the ones that use the kpasswd protocol.  The
kpasswd client shipped with MIT krb5 uses the kpasswd protocol to
change passwords.

---Tom



More information about the Kerberos mailing list