kerberos port numbers

Douglas E. Engert deengert at anl.gov
Fri Aug 23 17:02:01 EDT 2002 

Ken Raeburn wrote:
> 
> > Sam Hartman wrote:
> >> One question I have is how many machines out there still have 750
> >> listed as kerberos in /etc/services?
> 
> Yes, that is kind of a key question.  Hence my asking....
> 
> "Douglas E. Engert" <deengert at anl.gov> writes:
> > How many clients actually use the /etc/services port to find the KDC?
> > The krb5.conf file kdc = can have the port number, and the DNS SRV record
> > can provide it. So even if its in /etc/services, it is actually used?
> 
> Most of the entries in the krb5.conf file we use at MIT have kdc
> entries with no port numbers; in those cases, yes, /etc/services is
> used.

Ours all have :88  

Is it harder to update the krb5.conf or the /etc/services, or keep supporting
multiple ports?

> 
> > Ken was asking about TCP support. The 750/tcp is not official, and I don't
> > think anyone has ever used. Does Ken plain on not supporting multiple UDP
> > services as well as TCP services?
> 
> Unless someone convinces me otherwise, I don't plan to try port 750
> for TCP, but changing UDP seems like a bigger change, since we are
> trying both ports now.
> 
> > Is there any plain to drop K4 support at the same time?
> >
> > Or at least not adding K4 support for TCP?
> 
> We aren't dropping krb4, but we don't plan on adding TCP support for
> it either.

If you are interested, we added TCP to the KDC to support SSL authentiction,
via what we called SSLK5. It is sort of the equivelent of PKINIT. 
This was done by running a modified KDC along side of the standard 
UDP KDC. 

See  ftp://achilles.ctd.anl.gov/pub/DEE/sslk5-1.2.2-20010827.tar
Its more of a proof of concept, then production code.  

Part of the README file:

> BUILDING SSLK5
> 
> Copy the following MIT K5 source modules to the sslk5 source
> directory:
> 
>  For the KDC (sslk5d):
> 
> src/kdc/dispatch.c
> src/kdc/do_as_req.c
> src/kdc/main.c
> src/kdc/network.c
> 
>  For the kinit (sslk5):
> 
>  	src/clients/kinit/kinit.c 
> 
>  For the client libraries:
> 
> src/lib/krb5/os/sendto_kdc.c
> src/lib/krb5/krb/get_in_tkt.c
> src/lib/krb5/krb/gic_keytab.c
> 
> Apply the patch.k5 which will update the above source files. Then run  
> configure and make. For Unix no changes are required to the MIT source  
> as all the modified routines are compiled and linked with the sslk5 and 
> sslk5d, even if using shared libraries. 


> 
> Ken
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list