[3080] in Kerberos
Re: 88 vs 750
daemon@ATHENA.MIT.EDU (Clifford Neuman)
Thu Apr 7 12:33:32 1994
Date: Thu, 7 Apr 1994 08:59:47 -0700
From: Clifford Neuman <bcn@ISI.EDU>
To: kerberos@MIT.EDU
This is in response to a thread on the comp.protocols.kerberos
newsgroup. Since that group doesn't seem to be gatewayed to the list,
I am sending a slightly revised version of my response here as well.
The question was which port should be used for Kerberos.
Version 5 of Kerberos runs on port 88. Version 4 used port 750, which
was never officially assigned by the IANA. The MIT release of V5
Kerberos in fact listens on both port 88 and port 750 so that it can
accept V4 ticket requests.
If you are sending V5 protocol messages, you should be sending them on
port 88. However, if you are running V5, you should accept messages
on either 750 or 88. It is acceptable to send V4 messages to the KDC on 750.
There are sometimes problems in the services file for sites that
previously ran V4 (or that are still running it for things like AFS),
where "kerberos" is still defined as 750. My suggestion is that you
add an entry to your services file called "kerberos5" at port 88, and
that wherever V5 code does a getportbyname on "kerberos" that you
change the source so that it uses "kerberos5".
The official port assigned by the IANA for kerberos is 88, and that
should eventually be what just plain "kerberos" points to, BUT that
will prevent clients from speaking with V4 KDC's (if you still have
any), and I expect it will take time before all references in services
files are correct.
Similarly, you can define "kerberos4" to be 750 in your services file,
and where you see "kerberos-sec" you can change it to "kerberos4", and
possibly change any V4 clients to use "kerberos4" instead of just
"kerberos". Making these changes is preferable to just swapping
"kerberos" and "kerberos-sec" in your services file because doing that
only serves to propagate the confusion.
~ Cliff
