On Tue, Feb 19, 2013 at 10:49:42AM -0700, [email protected] wrote: > I used IPA from the CentOS 6 repositories and I am having an issue I > can't seem to solve. ?I installed a server and a client with no > issues, but upon Nessus scans of the server, port 464 kpasswd UDP was > flagged for a ping-pong DoS attack. ?With this information I noticed > kpasswd also listens on TCP 464 which I understand was used for over-sized > requests and other errors. ?I attempted to IPTABLES block UDP for > kerberos which resulted in kpasswd no longer functioning from the client. > ?Kerberos authentication defaults to TCP without issue, but no matter > what i cannot get the client to use TCP for kpasswd. ?Is there a way > to force kpasswd on the client to use TCP (i was under the understanding > that if UDP failed TCP would be attempted). ?I am running the latest > from the CentOS 6 repo's on both server and client. ?Thank you!
I just did a spot-check with udp port 464 set to REJECT on my server, with krb5-libs-1.9-33.el6_3.3. It looks like the client is getting an ECONNREFUSED after trying to use the UDP port, and then correctly falling back and opening a TCP connection. Do you have more information about what exactly happens when it fails? What does 'kpasswd' log when it's run with KRB5_TRACE set to /dev/stderr in its environment? Is anything logged to /var/log/kadmind.log on the server when you run 'kpasswd' on the client? Can you try it while using 'tcpdump -s0 -w cap -i any "port 464"' to capture traffic that's passed between the two? Nalin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
