> On Tue, Feb 19, 2013 at 10:49:42AM -0700, [email protected] wrote: >> I used IPA from the CentOS 6 repositories and I am having an issue I >> can't seem to solve. ?I installed a server and a client with no >> issues, but upon Nessus scans of the server, port 464 kpasswd UDP was >> flagged for a ping-pong DoS attack. ?With this information I noticed >> kpasswd also listens on TCP 464 which I understand was used for >> over-sized >> requests and other errors. ?I attempted to IPTABLES block UDP for >> kerberos which resulted in kpasswd no longer functioning from the >> client. >> ?Kerberos authentication defaults to TCP without issue, but no matter >> what i cannot get the client to use TCP for kpasswd. ?Is there a way >> to force kpasswd on the client to use TCP (i was under the understanding >> that if UDP failed TCP would be attempted). ?I am running the latest >> from the CentOS 6 repo's on both server and client. ?Thank you! > > I just did a spot-check with udp port 464 set to REJECT on my server, > with krb5-libs-1.9-33.el6_3.3. It looks like the client is getting an > ECONNREFUSED after trying to use the UDP port, and then correctly > falling back and opening a TCP connection. > > Do you have more information about what exactly happens when it fails? > What does 'kpasswd' log when it's run with KRB5_TRACE set to /dev/stderr > in its environment? Is anything logged to /var/log/kadmind.log on the > server when you run 'kpasswd' on the client? Can you try it while using > 'tcpdump -s0 -w cap -i any "port 464"' to capture traffic that's passed > between the two? > > Nalin > � /FACEPALM So problem solved, I allowed all the necessary ports via IPTABLES, but left the default REJECT rule in that comes by default to handle blocking the UDP port for kpasswd. �The default Reject rule in this case still answers with prohibited instead of just a normal REJECT set for unreachable. �Problem solved. �Thanks for pointing me somewhere =)
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
