[Freeipa-users] KPasswd TCP issues

ninibaba at worldd.org ninibaba at worldd.org
Tue Feb 19 22:29:03 UTC 2013 



>

>

>

>> On Tue, Feb 19, 2013 at 10:49:42AM -0700, ninibaba at worldd.org

> wrote:

>

>>> I used IPA from the CentOS 6 repositories and I am having
an

> issue I

>

>>> can't seem to solve. ?I installed a server and a client
with

> no

>

>>> issues, but upon Nessus scans of the server, port 464 kpasswd
UDP

> was

>

>>> flagged for a ping-pong DoS attack. ?With this information
I

> noticed

>

>>> kpasswd also listens on TCP 464 which I understand was
used

> for

>

>>> over-sized

>

>>> requests and other errors. ?I attempted to IPTABLES block
UDP

> for

>

>>> kerberos which resulted in kpasswd no longer functioning
from

> the

>

>>> client.

>

>>> ?Kerberos authentication defaults to TCP without issue, but
no

> matter

>

>>> what i cannot get the client to use TCP for kpasswd. ?Is
there a

> way

>

>>> to force kpasswd on the client to use TCP (i was under the

> understanding

>

>>> that if UDP failed TCP would be attempted). ?I am running
the

> latest

>

>>> from the CentOS 6 repo's on both server and client. ?Thank

> you!

>

>>

>

>> I just did a spot-check with udp port 464 set to REJECT on my

> server,

>

>> with krb5-libs-1.9-33.el6_3.3. It looks like the client is
getting

> an

>

>> ECONNREFUSED after trying to use the UDP port, and then
correctly

>

>> falling back and opening a TCP connection.

>

>>

>

>> Do you have more information about what exactly happens when
it

> fails?

>

>> What does 'kpasswd' log when it's run with KRB5_TRACE set to

> /dev/stderr

>

>> in its environment? Is anything logged to /var/log/kadmind.log
on

> the

>

>> server when you run 'kpasswd' on the client? Can you try it
while

> using

>

>> 'tcpdump -s0 -w cap -i any "port 464"' to capture
traffic

> that's passed

>

>> between the two?

>

>>

>

>> Nalin

>

>>

> �

> /FACEPALM

> So problem solved, I allowed all

> the necessary ports via IPTABLES, but left the default REJECT rule in
that

> comes by default to handle blocking the UDP port for kpasswd. �The

> default Reject rule in this case still answers with prohibited
instead of

> just a normal REJECT set for unreachable. �Problem solved.

> �Thanks for pointing me somewhere =)

> _______________________________________________

> Freeipa-users mailing list

> Freeipa-users at redhat.com

>
https://www.redhat.com/mailman/listinfo/freeipa-users
 
 
Actually
i'd like to take that back now, it works fine when running kpasswd, but if
user password is expired when SSH to client, during the reset it only
tried UDP same if issuing passwd command as well.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130219/071151df/attachment.htm>

More information about the Freeipa-users mailing list