[38411] in Kerberos
Re: Running KDC as non-root and dockerize KDC
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sat Jan 5 14:24:28 2019
From: Russ Allbery <eagle@eyrie.org>
To: Grant Taylor <gtaylor@tnetconsulting.net>
In-Reply-To: <73b7a7ab-0160-990c-edca-28c491bd7e1e@spamtrap.tnetconsulting.net>
(Grant Taylor's message of "Sat, 5 Jan 2019 11:41:03 -0700")
Date: Sat, 5 Jan 2019 11:24:11 -0800
Message-ID: <87tvimewmc.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Grant Taylor <gtaylor@tnetconsulting.net> writes:
> Aside: How well would Kerberos work if these services ran on a high
> port and IPTables magic was used to redirect requests to the low ports
> up to high ports?
It should be fine as long as the magic handles both UDP and TCP.
Another option would be to run the services on non-standard ports and
configure the clients. Modern clients support SRV records, which include
the port and let you configure alternate ports. Even older clients that
don't support SRV records can be configured in krb5.conf, which supports
specifying a port, although I'm not sure how good the support for that is
for all protocols and older versions.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
