[Freeipa-users] KPasswd TCP issues
ninibaba at worldd.org
ninibaba at worldd.org
Tue Feb 19 21:51:37 UTC 2013
> On Tue, Feb 19, 2013 at 10:49:42AM -0700, ninibaba at worldd.org
wrote:
>> I used IPA from the CentOS 6 repositories and I am having an
issue I
>> can't seem to solve. ?I installed a server and a client with
no
>> issues, but upon Nessus scans of the server, port 464 kpasswd UDP
was
>> flagged for a ping-pong DoS attack. ?With this information I
noticed
>> kpasswd also listens on TCP 464 which I understand was used
for
>> over-sized
>> requests and other errors. ?I attempted to IPTABLES block UDP
for
>> kerberos which resulted in kpasswd no longer functioning from
the
>> client.
>> ?Kerberos authentication defaults to TCP without issue, but no
matter
>> what i cannot get the client to use TCP for kpasswd. ?Is there a
way
>> to force kpasswd on the client to use TCP (i was under the
understanding
>> that if UDP failed TCP would be attempted). ?I am running the
latest
>> from the CentOS 6 repo's on both server and client. ?Thank
you!
>
> I just did a spot-check with udp port 464 set to REJECT on my
server,
> with krb5-libs-1.9-33.el6_3.3. It looks like the client is getting
an
> ECONNREFUSED after trying to use the UDP port, and then correctly
> falling back and opening a TCP connection.
>
> Do you have more information about what exactly happens when it
fails?
> What does 'kpasswd' log when it's run with KRB5_TRACE set to
/dev/stderr
> in its environment? Is anything logged to /var/log/kadmind.log on
the
> server when you run 'kpasswd' on the client? Can you try it while
using
> 'tcpdump -s0 -w cap -i any "port 464"' to capture traffic
that's passed
> between the two?
>
> Nalin
>
/FACEPALM
So problem solved, I allowed all
the necessary ports via IPTABLES, but left the default REJECT rule in that
comes by default to handle blocking the UDP port for kpasswd. The
default Reject rule in this case still answers with prohibited instead of
just a normal REJECT set for unreachable. Problem solved.
Thanks for pointing me somewhere =)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130219/6da7424e/attachment.htm>
More information about the Freeipa-users
mailing list