On 1/5/19 12:24 PM, Russ Allbery wrote:
It should be fine as long as the magic handles both UDP and TCP.
ACKIt's trivial to add IPTables rules (the magic I was thinking of) to handle both UDP and TCP.
Another option would be to run the services on non-standard ports and configure the clients.
Ew. I personally dislike the idea of using a configuration that requires making changes to clients. The sheer number of places that changes would need to be made. I expect the number of clients is VASTLY higher than the number of KDCs. So I would think that it would behoove people to make the change on the KDC. Ongoing maintenance of clients would be no-fun and would require additional training on support staff.
That being said, it is nice to know that (some) Kerberos clients are capable of connecting to non-standard ports.
Modern clients support SRV records, which include the port and let you configure alternate ports.
I need to look into this.Do you happen to know off hand if DNS lookups for SRV records happen before or after initial connection attempts to the standard ports?
If SRV records are looked up /before/ attempting to connect to standard ports, I could see adding SRV records as a simple optimization.
Even older clients that don't support SRV records can be configured in krb5.conf, which supports specifying a port, although I'm not sure how good the support for that is for all protocols and older versions.
Yep. Yet another reason to stick with standard ports without a compelling reason to deviate.
Thank you for the feedback Russ. -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
