From: Sarah Day <sarahday@mit.edu>
Date: Thu, 14 Jan 2016 18:11:21 +0000 (-0500)
Subject: Remove port 750 from the KDC default ports
X-Git-Tag: krb5-1.15-beta1~233
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=624476e0350cde6c37078a808c7b6bceb6046c53;p=thirdparty%2Fkrb5.git

Remove port 750 from the KDC default ports

The KDC was still listening on port 750 despite the fact that
this functionality was supposed to have been removed in the
past.  Remove port 750 from the list of UDP ports that the KDC
listens on.  Also remove port 750 from the default ports that
the client connects to, and from example config fragments.

ticket: 8388 (new)
---

diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst
index 711159b682..7ec4ee4d31 100644
--- a/doc/admin/admin_commands/krb5kdc.rst
+++ b/doc/admin/admin_commands/krb5kdc.rst
@@ -62,7 +62,7 @@ which the KDC should listen on for Kerberos version 5 requests, as a
 comma-separated list.  This value overrides the UDP port numbers
 specified in the :ref:`kdcdefaults` section of :ref:`kdc.conf(5)`, but
 may be overridden by realm-specific values.  If no value is given from
-any source, the default ports are 88 and 750.
+any source, the default port is 88.
 
 The **-w** *numworkers* option tells the KDC to fork *numworkers*
 processes to listen to the KDC ports and process requests in parallel.
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 0f398a64e6..bf7d2407bd 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -1130,7 +1130,7 @@ Here is an example of a generic krb5.conf file::
         ATHENA.MIT.EDU = {
             kdc = kerberos.mit.edu
             kdc = kerberos-1.mit.edu
-            kdc = kerberos-2.mit.edu:750
+            kdc = kerberos-2.mit.edu
             admin_server = kerberos.mit.edu
             master_kdc = kerberos.mit.edu
         }
diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst
index af938993f0..1d8c4bc02a 100644
--- a/doc/admin/install_kdc.rst
+++ b/doc/admin/install_kdc.rst
@@ -108,7 +108,7 @@ and location, and logging.
 An example kdc.conf file::
 
     [kdcdefaults]
-        kdc_ports = 88,750
+        kdc_ports = 88
 
     [realms]
         ATHENA.MIT.EDU = {
diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
index 838dabbba1..443bcc5f3e 100644
--- a/doc/mitK5defaults.rst
+++ b/doc/mitK5defaults.rst
@@ -24,7 +24,6 @@ Master key default enctype                  |defmkey|
 Default :ref:`keysalt list<Keysalt_lists>`  |defkeysalts|
 Permitted enctypes                          |defetypes|
 KDC default port                            88
-Second KDC default port                     750
 Admin server port                           749
 Password change port                        464
 ========================================== =============================  ====================
diff --git a/src/config-files/kdc.conf b/src/config-files/kdc.conf
index b17f3aaf99..e7ef0f93d1 100644
--- a/src/config-files/kdc.conf
+++ b/src/config-files/kdc.conf
@@ -1,12 +1,12 @@
 [kdcdefaults]
-	kdc_ports = 750,88
+	kdc_ports = 88
 
 [realms]
 	ATHENA.MIT.EDU = {
 		database_name = /usr/local/var/krb5kdc/principal
 		acl_file = /usr/local/var/krb5kdc/kadm5.acl
 		key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU
-		kdc_ports = 750,88
+		kdc_ports = 88
 		max_life = 10h 0m 0s
 		max_renewable_life = 7d 0h 0m 0s
 	}
diff --git a/src/config-files/services.append b/src/config-files/services.append
index bd1010f5c0..a32fae6d06 100644
--- a/src/config-files/services.append
+++ b/src/config-files/services.append
@@ -1,25 +1,5 @@
-#
-# Note --- if you are using Kerberos V4 clients and you either (a)
-# haven't converted all your KDC's over to use V5, or (b) are worried
-# about inter-realm interoperability with other KDC's that are still
-# using V4, then you will have to switch the definition of kerberos and
-# kerberos-sec.
-#
-# The issue is that the official port assignement for the "kerberos"
-# port is port 88, yet the unofficial port that has been used for
-# Kerberos V4 is port 750.  The V5 KDC will respond to requests made on
-# either port, and if V4 compatibility is turned on, it will respond to
-# V4 requests on either port as well.
-#
-#
-# Hence, it is safe to switch the definitions of kerberos and
-# kerberos-sec; both should be defined, though, and one should be port
-# 88 and one should be port 750.
-#
 kerberos	88/udp 		kdc		# Kerberos authentication--udp
 kerberos	88/tcp 		kdc		# Kerberos authentication--tcp
-kerberos-sec	750/udp 			# Kerberos authentication--udp
-kerberos-sec	750/tcp 			# Kerberos authentication--tcp
 kerberos_master	751/udp 			# Kerberos authentication
 kerberos_master	751/tcp 			# Kerberos authentication
 kerberos-adm	749/tcp				# Kerberos 5 admin/changepw
diff --git a/src/include/osconf.hin b/src/include/osconf.hin
index 922d7960f1..b2b355bdf4 100644
--- a/src/include/osconf.hin
+++ b/src/include/osconf.hin
@@ -80,16 +80,12 @@
 #define KDCRCACHE               "dfl:krb5kdc_rcache"
 
 #define KDC_PORTNAME            "kerberos" /* for /etc/services or equiv. */
-#define KDC_SECONDARY_PORTNAME  "kerberos-sec" /* For backwards */
-/* compatibility with */
-/* port 750 clients */
 
 #define KRB5_DEFAULT_PORT       88
-#define KRB5_DEFAULT_SEC_PORT   750
 
 #define DEFAULT_KPASSWD_PORT    464
 
-#define DEFAULT_KDC_UDP_PORTLIST "88,750"
+#define DEFAULT_KDC_UDP_PORTLIST "88"
 #define DEFAULT_KDC_TCP_PORTLIST "88"
 
 /*
diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
index 160a2d05b1..196b42647b 100644
--- a/src/lib/krb5/os/locate_kdc.c
+++ b/src/lib/krb5/os/locate_kdc.c
@@ -216,7 +216,7 @@ server_list_contains(struct serverlist *list, struct server_entry *server)
 static krb5_error_code
 locate_srv_conf_1(krb5_context context, const krb5_data *realm,
                   const char * name, struct serverlist *serverlist,
-                  k5_transport transport, int udpport, int sec_udpport)
+                  k5_transport transport, int udpport)
 {
     const char  *realm_srv_names[4];
     char **hostlist, *host, *port, *cp;
@@ -224,7 +224,7 @@ locate_srv_conf_1(krb5_context context, const krb5_data *realm,
     int i;
 
     Tprintf ("looking in krb5.conf for realm %s entry %s; ports %d,%d\n",
-             realm->data, name, ntohs (udpport), ntohs (sec_udpport));
+             realm->data, name, ntohs(udpport));
 
     if ((host = malloc(realm->length + 1)) == NULL)
         return ENOMEM;
@@ -250,7 +250,7 @@ locate_srv_conf_1(krb5_context context, const krb5_data *realm,
     }
 
     for (i=0; hostlist[i]; i++) {
-        int p1, p2;
+        int port_num;
         k5_transport this_transport = transport;
         char *uri_path = NULL;
 
@@ -276,14 +276,11 @@ locate_srv_conf_1(krb5_context context, const krb5_data *realm,
             /* L is unsigned, don't need to check <0.  */
             if (l > 65535)
                 return EINVAL;
-            p1 = htons (l);
-            p2 = 0;
+            port_num = htons(l);
         } else if (this_transport == HTTPS) {
-            p1 = htons(443);
-            p2 = 0;
+            port_num = htons(443);
         } else {
-            p1 = udpport;
-            p2 = sec_udpport;
+            port_num = udpport;
         }
 
         /* If the hostname was in brackets, strip those off now. */
@@ -292,15 +289,8 @@ locate_srv_conf_1(krb5_context context, const krb5_data *realm,
             *cp = '\0';
         }
 
-        code = add_host_to_list(serverlist, host, p1, this_transport,
+        code = add_host_to_list(serverlist, host, port_num, this_transport,
                                 AF_UNSPEC, uri_path);
-        /* Second port is for IPv4 UDP only, and should possibly go away as
-         * it was originally a krb4 compatibility measure. */
-        if (code == 0 && p2 != 0 &&
-            (this_transport == TCP_OR_UDP || this_transport == UDP)) {
-            code = add_host_to_list(serverlist, host, p2, UDP, AF_INET,
-                                    uri_path);
-        }
         if (code)
             goto cleanup;
     }
@@ -313,13 +303,11 @@ cleanup:
 #ifdef TEST
 static krb5_error_code
 krb5_locate_srv_conf(krb5_context context, const krb5_data *realm,
-                     const char *name, struct serverlist *al, int udpport,
-                     int sec_udpport)
+                     const char *name, struct serverlist *al, int udpport)
 {
     krb5_error_code ret;
 
-    ret = locate_srv_conf_1(context, realm, name, al, TCP_OR_UDP, udpport,
-                            sec_udpport);
+    ret = locate_srv_conf_1(context, realm, name, al, TCP_OR_UDP, udpport);
     if (ret)
         return ret;
     if (al->nservers == 0)        /* Couldn't resolve any KDC names */
@@ -505,7 +493,7 @@ prof_locate_server(krb5_context context, const krb5_data *realm,
                    k5_transport transport)
 {
     const char *profname;
-    int dflport1, dflport2 = 0;
+    int dflport = 0;
     struct servent *serv;
 
     switch (svc) {
@@ -515,31 +503,30 @@ prof_locate_server(krb5_context context, const krb5_data *realm,
            have old, crufty, wrong settings that this is probably
            better.  */
     kdc_ports:
-        dflport1 = htons(KRB5_DEFAULT_PORT);
-        dflport2 = htons(KRB5_DEFAULT_SEC_PORT);
+        dflport = htons(KRB5_DEFAULT_PORT);
         break;
     case locate_service_master_kdc:
         profname = KRB5_CONF_MASTER_KDC;
         goto kdc_ports;
     case locate_service_kadmin:
         profname = KRB5_CONF_ADMIN_SERVER;
-        dflport1 = htons(DEFAULT_KADM5_PORT);
+        dflport = htons(DEFAULT_KADM5_PORT);
         break;
     case locate_service_krb524:
         profname = KRB5_CONF_KRB524_SERVER;
         serv = getservbyname("krb524", "udp");
-        dflport1 = serv ? serv->s_port : htons(4444);
+        dflport = serv ? serv->s_port : htons(4444);
         break;
     case locate_service_kpasswd:
         profname = KRB5_CONF_KPASSWD_SERVER;
-        dflport1 = htons(DEFAULT_KPASSWD_PORT);
+        dflport = htons(DEFAULT_KPASSWD_PORT);
         break;
     default:
         return EBUSY;           /* XXX */
     }
 
     return locate_srv_conf_1(context, realm, profname, serverlist, transport,
-                             dflport1, dflport2);
+                             dflport);
 }
 
 #ifdef KRB5_DNS_LOOKUP
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index a2bc5915cf..952228c160 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -1439,8 +1439,7 @@ service_fds(krb5_context context, struct select_state *selstate,
  * If P=3, Total = 3*U + T + 14.
  * If P=4, Total = 4*U + T + 30.
  *
- * Note that if you try to reach two ports (e.g., both 88 and 750) on
- * one server, it counts as two.
+ * Note that if you try to reach two ports on one server, it counts as two.
  *
  * There is one exception to the above rules.  Whenever a TCP connection is
  * established, we wait up to ten seconds for it to finish or fail before
diff --git a/src/lib/krb5/os/t_locate_kdc.c b/src/lib/krb5/os/t_locate_kdc.c
index e986ae9d9c..4bf9795c5a 100644
--- a/src/lib/krb5/os/t_locate_kdc.c
+++ b/src/lib/krb5/os/t_locate_kdc.c
@@ -121,8 +121,7 @@ main (int argc, char *argv[])
 
     switch (how) {
     case LOOKUP_CONF:
-        err = krb5_locate_srv_conf(ctx, &realm, "kdc", &sl,
-                                   htons(88), htons(750));
+        err = krb5_locate_srv_conf(ctx, &realm, "kdc", &sl, htons(88));
         break;
 
     case LOOKUP_DNS:
diff --git a/src/lib/krb5/os/td_krb5.conf b/src/lib/krb5/os/td_krb5.conf
index cdee60945f..edf0353619 100644
--- a/src/lib/krb5/os/td_krb5.conf
+++ b/src/lib/krb5/os/td_krb5.conf
@@ -3,7 +3,7 @@
 
 [realms]
 	DEFAULT_REALM.TST = {
-		kdc = FIRST.KDC.HOST:750
+		kdc = FIRST.KDC.HOST
 		kdc = SECOND.KDC.HOST:88
 		admin_server = FIRST.KDC.HOST
 		default_domain = MIT.EDU
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 65cc51cd3c..a4b30e9414 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1416,7 +1416,7 @@ Here is an example of a generic krb5.conf file:
     ATHENA.MIT.EDU = {
         kdc = kerberos.mit.edu
         kdc = kerberos\-1.mit.edu
-        kdc = kerberos\-2.mit.edu:750
+        kdc = kerberos\-2.mit.edu
         admin_server = kerberos.mit.edu
         master_kdc = kerberos.mit.edu
     }
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 663b2ec658..505eff06a0 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -82,7 +82,7 @@ which the KDC should listen on for Kerberos version 5 requests, as a
 comma\-separated list.  This value overrides the UDP port numbers
 specified in the \fIkdcdefaults\fP section of \fIkdc.conf(5)\fP, but
 may be overridden by realm\-specific values.  If no value is given from
-any source, the default ports are 88 and 750.
+any source, the default port is 88.
 .sp
 The \fB\-w\fP \fInumworkers\fP option tells the KDC to fork \fInumworkers\fP
 processes to listen to the KDC ports and process requests in parallel.
diff --git a/src/util/profile/test.ini b/src/util/profile/test.ini
index c1c8830aa3..23ca896773 100644
--- a/src/util/profile/test.ini
+++ b/src/util/profile/test.ini
@@ -13,8 +13,8 @@ this is a comment.  Everything up to the first square brace is ignored.
 [realms]
 ATHENA.MIT.EDU = {
 	server = KERBEROS.MIT.EDU:88
-	server = KERBEROS1.MIT.EDU:750
-	server = KERBEROS2.MIT.EDU:750
+	server = KERBEROS1.MIT.EDU
+	server = KERBEROS2.MIT.EDU
 	admin = KERBEROS.MIT.EDU
 	etype = DES-MD5
 }