kpasswd over firewall ans TCP

Greg Hudson ghudson at
Thu May 7 11:44:53 EDT 2015

On 05/06/2015 12:35 PM, Meike Stone wrote:
> The Client is KfW 4.0.1 32bit. The kpasswd Server is AD W2k8, udp and
> tcp (port 464) on the Server are open.
> On the firewall is a proxy firewall with a rule for port TCP 464.
> If I start kpasswd, I get at first a few port 88 (preauth) the I only
> see a UDP package port 464, no tries for TCP:

Thanks for the additional details.

On a closer look, it appears that krb5 1.12 and prior try password
changes with UDP only, and only retry with TCP if on a
KRB5KRB_ERR_RESPONSE_TOO_BIG error (which is very unlikely to happen).
krb5 1.13 tries both UDP and TCP, and switches to TCP-only on a too-big
error.  udp_preference_limit doesn't affect password changes in any
version; it only applies to messages sent to a KDC.

KfW 4.0 is based on krb5 1.10.  The forthcoming KfW 4.1 will be based on
krb5 1.13 and should fix this problem.  Since you are looking at the
source code, here is a simple patch against 1.10 which would make it
behave like 1.13 in this respect:

diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
index 4ad8f32..57bd056 100644
--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
@@ -256,7 +256,9 @@ change_set_password(krb5_context context,
     callback_ctx.local_seq_num =

     do {
-        int socktype = (use_tcp ? SOCK_STREAM : SOCK_DGRAM);
+        int socktype = (use_tcp ? SOCK_STREAM : 0);
+        int socktype1 = (use_tcp ? SOCK_STREAM : SOCK_DGRAM);
+        int socktype2 = (use_tcp ? 0 : SOCK_STREAM);
         if ((code = locate_kpasswd(callback_ctx.context,
@@ -270,7 +272,7 @@ change_set_password(krb5_context context,
         callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup;
         krb5_free_data_contents(callback_ctx.context, &chpw_rep);

-        code = k5_sendto(callback_ctx.context, NULL, &sl, socktype, 0,
+        code = k5_sendto(callback_ctx.context, NULL, &sl, socktype1,
                          &callback_info, &chpw_rep, ss2sa(&remote_addr),
                          &addrlen, NULL, NULL, NULL);
         if (code) {

More information about the Kerberos mailing list