Running KDC as non-root and dockerize KDC

[Grant Taylor]

On 1/5/19 12:24 PM, Russ Allbery wrote:
> It should be fine as long as the magic handles both UDP and TCP.

ACK

It's trivial to add IPTables rules (the magic I was thinking of) to 
handle both UDP and TCP.

> Another option would be to run the services on non-standard ports and 
> configure the clients.

Ew.  I personally dislike the idea of using a configuration that 
requires making changes to clients.  The sheer number of places that 
changes would need to be made.  I expect the number of clients is VASTLY 
higher than the number of KDCs.  So I would think that it would behoove 
people to make the change on the KDC.  Ongoing maintenance of clients 
would be no-fun and would require additional training on support staff.

That being said, it is nice to know that (some) Kerberos clients are 
capable of connecting to non-standard ports.

> Modern clients support SRV records, which include the port and let you 
> configure alternate ports.

I need to look into this.

Do you happen to know off hand if DNS lookups for SRV records happen 
before or after initial connection attempts to the standard ports?

If SRV records are looked up /before/ attempting to connect to standard 
ports, I could see adding SRV records as a simple optimization.

> Even older clients that don't support SRV records can be configured in 
> krb5.conf, which supports specifying a port, although I'm not sure how 
> good the support for that is for all protocols and older versions.

Yep.  Yet another reason to stick with standard ports without a 
compelling reason to deviate.

Thank you for the feedback Russ.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20190106/7f535314/attachment.bin