On Tue, Feb 19, 2013 at 10:49:42AM -0700, ninib...@worldd.org wrote:
> I used IPA from the CentOS 6 repositories and I am having an issue I
> can't seem to solve. ?I installed a server and a client with no
> issues, but upon Nessus scans of the server, port 464 kpasswd UDP was
> flagged for a ping-pong DoS attack. ?With this information I noticed
> kpasswd also listens on TCP 464 which I understand was used for over-sized
> requests and other errors. ?I attempted to IPTABLES block UDP for
> kerberos which resulted in kpasswd no longer functioning from the client.
> ?Kerberos authentication defaults to TCP without issue, but no matter
> what i cannot get the client to use TCP for kpasswd. ?Is there a way
> to force kpasswd on the client to use TCP (i was under the understanding
> that if UDP failed TCP would be attempted). ?I am running the latest
> from the CentOS 6 repo's on both server and client. ?Thank you!
I just did a spot-check with udp port 464 set to REJECT on my server,
with krb5-libs-1.9-33.el6_3.3. It looks like the client is getting an
ECONNREFUSED after trying to use the UDP port, and then correctly
falling back and opening a TCP connection.
Do you have more information about what exactly happens when it fails?
What does 'kpasswd' log when it's run with KRB5_TRACE set to /dev/stderr
in its environment? Is anything logged to /var/log/kadmind.log on the
server when you run 'kpasswd' on the client? Can you try it while using
'tcpdump -s0 -w cap -i any "port 464"' to capture traffic that's passed
between the two?
Freeipa-users mailing list