Re: recent kadmin vulnernability and changing passwords
> "Jason" == Edgecombe, Jason <[EMAIL PROTECTED]> writes: Jason> Thanks. Jason> I was wondering how blocking the port would affect password changes. It Jason> looks like it would block all password changes unless I white-list all Jason> of our machines. The kpasswd port and the kadmin port are different. If you block the kadmin port but not the kpasswd port, you will only prevent password changes from clients that attempt to use the kadmin protocol to change the password, and not the ones that use the kpasswd protocol. The kpasswd client shipped with MIT krb5 uses the kpasswd protocol to change passwords. ---Tom Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
RE: recent kadmin vulnernability and changing passwords
Thanks. I was wondering how blocking the port would affect password changes. It looks like it would block all password changes unless I white-list all of our machines. Thanks, Jason Jason Edgecombe Solaris & Linux Administrator Mosaic Computing Group, College of Engineering UNC-Charlotte Phone: (704) 687-3514 -Original Message- From: Nicolas Williams [mailto:[EMAIL PROTECTED] Sent: Thursday, September 06, 2007 2:37 PM To: Edgecombe, Jason Cc: kerberos@mit.edu Subject: Re: recent kadmin vulnernability and changing passwords On Thu, Sep 06, 2007 at 08:55:47AM -0400, Edgecombe, Jason wrote: > Hi All, > Does kpasswd use the kadmin protocol? I'm just looking at options for > mitigating the vulnerability. The Solaris kpasswd will use either the kadmin password or the kpasswd protocol. I don't recall if the same is true for the MIT kpasswd. But both protocols are served by the same kadmind binary. To mitigate the issue you can setup a packet filter that blocks connections to the kadmin port. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: recent kadmin vulnernability and changing passwords
On Thu, Sep 06, 2007 at 08:55:47AM -0400, Edgecombe, Jason wrote: > Hi All, > Does kpasswd use the kadmin protocol? I'm just looking at options for > mitigating the vulnerability. The Solaris kpasswd will use either the kadmin password or the kpasswd protocol. I don't recall if the same is true for the MIT kpasswd. But both protocols are served by the same kadmind binary. To mitigate the issue you can setup a packet filter that blocks connections to the kadmin port. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
recent kadmin vulnernability and changing passwords
Hi All, Does kpasswd use the kadmin protocol? I'm just looking at options for mitigating the vulnerability. Thanks, Jason Jason Edgecombe Solaris & Linux Administrator Mosaic Computing Group, College of Engineering UNC-Charlotte Phone: (704) 687-3514 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
