kpasswd over firewall ans TCP

Meike Stone meike.stone at googlemail.com
Thu May 7 09:40:29 EDT 2015 

2015-05-06 18:35 GMT+02:00 Meike Stone <meike.stone at googlemail.com>:
> 2015-05-06 17:01 GMT+02:00 Greg Hudson <ghudson at mit.edu>:
>> On 05/06/2015 10:45 AM, Meike Stone wrote:
>>> I like to use kpasswd, but the kpasswd_server is behind a firewall and
>>> only TCP port 464 is allowed.
>>> But as i see, kpasswd only uses UDP. Setting udp_preference_limit to 0
>>> (under libdefaults)
>>> didn't help.
>>
>> The intent of the changepw.c code is to try both UDP and TCP first
>> (typically beginning with a UDP query, but udp_preference_limit could
>> cause a TCP query to be tried first), and then retry with only TCP if it
>> gets back a KRB5KRB_ERR_RESPONSE_TOO_BIG error.
>>
>> As far as I know this code functions as intended.  Can you describe in
>> more detail what leads you to believe that it is only trying UDP?  Also,
>> what version are you using on the client, and what is running on the
>> kpasswd server?
>
> The Client is KfW 4.0.1 32bit. The kpasswd Server is AD W2k8, udp and
> tcp (port 464) on the Server are open.
> On the firewall is a proxy firewall with a rule for port TCP 464.
>
> If I start kpasswd, I get at first a few port 88 (preauth) the I only
> see a UDP package port 464, no tries for TCP:
>
> 18:31:39.696660 IP (tos 0x0, ttl 128, id 31724, offset 0, flags [+],
> proto UDP (17), length 1500) 192.168.1.217.4350 > 192.168.1.20.464:
> UDP, length 1550
> 18:31:39.696737 IP (tos 0xc0, ttl 64, id 12852, offset 0, flags
> [none], proto ICMP (1), length 576) 192.168.1.20 > 192.168.1.217: ICMP
> 192.168.1.20 udp port 464 unreachable, length 556
>
> (client 192.168.1.217 / proxy firewall: 92.168.1.20)
>
> Error message is:
> "kpasswd: Cannot contact any KDC for requested realm changing password"


Here KRB5_the TRACE from the test environment:

#1  - Getting initial credentials for mstone at MYCORP.NET
#2  - FAST armor ccache: API:Initial default ccache
#3  - Retrieving mstone at MYCORP.NET ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYCORP.NET\@MYCORP.NET at X-CACHECONF:
from API:Initial default ccache with result: -1765328243/Matching
credential not found
#4  - Setting initial creds service to kadmin/changepw
#5  - FAST armor ccache: API:Initial default ccache
#6  - Retrieving mstone at MYCORP.NET ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYCORP.NET\@MYCORP.NET at X-CACHECONF:
from API:Initial default ccache with result: -1765328243/Matching
credential not found
#7  - Sending request (183 bytes) to MYCORP.NET
#8  - Resolving hostname ad10.MYCORP.NET
#9  - Sending initial UDP request to dgram 192.168.1.20:88
#10 - UDP error receiving from dgram 192.168.1.20:88: 108/Unknown error
#11 - Resolving hostname ad10.MYCORP.NET
#12 - Sending initial UDP request to dgram 192.168.1.20:750
#13 - UDP error receiving from dgram 192.168.1.20:750: 108/Unknown error
#14 - Initiating TCP connection to stream 192.168.1.20:88
#15 - Sending TCP request to stream 192.168.1.20:88
#16 - Received answer from stream 192.168.1.20:88
#17 - Response was not from master KDC
#18 - Received error from KDC: -1765328359/Additional
pre-authentication required
#19 - Processing preauth types: 16, 15, 19, 2
#20 - Selected etype info: etype rc4-hmac, salt "(null)", params ""
#21 - AS key obtained for encrypted timestamp: rc4-hmac/DD53
#22 - Encrypted timestamp (for 1431003262.414001): plain 301AA0...
...065131, encrypted 7B9697... ...F2D10B3
#23 - Preauth module encrypted_timestamp (2) (flags=1) returned:
0/Unknown code 0
#24 - Produced preauth for next request: 2
#25 - Sending request (257 bytes) to MYCORP.NET
#26 - Resolving hostname ad10.MYCORP.NET
#27 - Sending initial UDP request to dgram 192.168.1.20:88
#28 - UDP error receiving from dgram 192.168.1.20:88: 108/Unknown error
#29 - Resolving hostname ad10.MYCORP.NET
#30 - Sending initial UDP request to dgram 192.168.1.20:750
#31 - UDP error receiving from dgram 192.168.1.20:750: 108/Unknown error
#32 - Initiating TCP connection to stream 192.168.1.20:88
#33 - Sending TCP request to stream 192.168.1.20:88
#34 - Received answer from stream 192.168.1.20:88
#35 - Response was not from master KDC
#36 - Salt derived from principal: MYCORP.NETmstone
#37 - AS key determined by preauth: rc4-hmac/DD53
#38 - Decrypted AS reply; session key is: rc4-hmac/BC0E
#39 - FAST negotiation: unavailable
#40 - Creating authenticator for mstone at MYCORP.NET ->
kadmin/changepw at MYCORP.NET, seqnum 0, subkey rc4-hmac/F193, session
key rc4-hmac/BC0E
#41 - Resolving hostname ad10.MYCORP.NET
#42 - Sending initial UDP request to dgram 192.168.1.20:464
#43 - UDP error receiving from dgram 192.168.1.20:464: 108/Unknown error

We can see, if kerberos port (88), it tries udp first and then tcp
(#8-#16 and #26-#34) but for kpasswd port (464) it only tries UDP
(#42-#43) ...

>
> In the Sourcecode (kfw-4.0.1-src.zip) , it looks like it is hard coded
> (as above) and following lines:
> "     if (code) {
>             /*
>              * Here we may want to switch to TCP on some errors.
>              * right?
>              */
>             break;
>         }
> "
>
> Thanks Meike

More information about the Kerberos mailing list