kpasswd over firewall ans TCP

Meike Stone meike.stone at googlemail.com
Thu May 7 12:02:14 EDT 2015 

Oh thanks Greg,


2015-05-07 17:44 GMT+02:00 Greg Hudson <ghudson at mit.edu>:
> On 05/06/2015 12:35 PM, Meike Stone wrote:
>> The Client is KfW 4.0.1 32bit. The kpasswd Server is AD W2k8, udp and
>> tcp (port 464) on the Server are open.
>> On the firewall is a proxy firewall with a rule for port TCP 464.
>>
>> If I start kpasswd, I get at first a few port 88 (preauth) the I only
>> see a UDP package port 464, no tries for TCP:
>
> Thanks for the additional details.
>
> On a closer look, it appears that krb5 1.12 and prior try password
> changes with UDP only, and only retry with TCP if on a
> KRB5KRB_ERR_RESPONSE_TOO_BIG error (which is very unlikely to happen).
> krb5 1.13 tries both UDP and TCP, and switches to TCP-only on a too-big
> error.  udp_preference_limit doesn't affect password changes in any
> version; it only applies to messages sent to a KDC.

That information helps me a lot! That can solve my problems!

>
> KfW 4.0 is based on krb5 1.10.  The forthcoming KfW 4.1 will be based on
> krb5 1.13 and should fix this problem.  Since you are looking at the
> source code, here is a simple patch against 1.10 which would make it
> behave like 1.13 in this respect:

ok, thanks!

>
> diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
> index 4ad8f32..57bd056 100644
> --- a/src/lib/krb5/os/changepw.c
> +++ b/src/lib/krb5/os/changepw.c
> @@ -256,7 +256,9 @@ change_set_password(krb5_context context,
>      callback_ctx.local_seq_num =
> callback_ctx.auth_context->local_seq_number;
>
>      do {
> -        int socktype = (use_tcp ? SOCK_STREAM : SOCK_DGRAM);
> +        int socktype = (use_tcp ? SOCK_STREAM : 0);
> +        int socktype1 = (use_tcp ? SOCK_STREAM : SOCK_DGRAM);
> +        int socktype2 = (use_tcp ? 0 : SOCK_STREAM);
>          if ((code = locate_kpasswd(callback_ctx.context,
>                                     krb5_princ_realm(callback_ctx.context,
>                                                      creds->server),
> @@ -270,7 +272,7 @@ change_set_password(krb5_context context,
>          callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup;
>          krb5_free_data_contents(callback_ctx.context, &chpw_rep);
>
> -        code = k5_sendto(callback_ctx.context, NULL, &sl, socktype, 0,
> +        code = k5_sendto(callback_ctx.context, NULL, &sl, socktype1,
> socktype2,
>                           &callback_info, &chpw_rep, ss2sa(&remote_addr),
>                           &addrlen, NULL, NULL, NULL);
>          if (code) {

More information about the Kerberos mailing list