krb524 and port 4444 blocks

Alexei Kosut akosut at
Wed Oct 15 18:25:06 EDT 2003

On Oct 15, 2003, at 10:58 AM, James Reynolds wrote:
> Specifically, we are using kerberos 5 to authenticate our Mac OS X 
> computers and we don't reuse tickets and we don't use kerberos 4.  We 
> are seeing the ~21 second delay.  We would like this to go away.
> Do you have any recommendations?  Should we poke a hole for port 4444? 
>  Should we downgrade to kerberos 4?  Is it possible to get krb524 to 
> not do anything?  Is there some other work around?

There is no way to disable this with the version of Kerberos for 
Macintosh included with Mac OS X 10.2.  If you have Kerberos v5 
enabled, it always tries to contact the krb524 service on your KDCs.  
If UDP packages on port 4444 cannot make it to the KDC, or the ICMP 
port unreachable messages can't make it back, then the Kerberos 
libraries have to wait for the attempt to time out.  At Stanford, we 
originally saw thisy with users behind NAT firewalls which often did 
not forward ICMP messages, and more with campus firewalls that block 
port 4444 because of a Windows virus.

The best solution we came up with was to have affected users run the 
following command from a Terminal prompt:

     sudo ipfw add unreach port udp from me to any krb524

This adds a firewall rule to Mac OS X that immediately fails any 
attempt to contact the krb524 port (4444) on another host.  This 
eliminates the delay, but it creates a few other problems, including 
blocking any legitimate use of UDP on port 4444.  It also disables Mac 
OS X's built in Internet Firewall preferences, so Stanford only hands 
out the command (I think we built an app that runs it for you) to users 
who complain about this.

Alexei Kosut <akosut at> <>

More information about the krbdev mailing list