Kerberos FAQ, v2.0 (last modified 8/18/2000)Section - 3.11. I need to use Kerberos through a firewall. What does my firewall administrator need to do?

Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 3.10. Is there a way to use Kerberos to authenticate my X windows connections? I tried compiling the Kerberos support in X, but it
Next Document: 4. Error messages and other problems

See reader questions & answers on this topic! - Help others by sharing your knowledge


From: Von Welch <vwelch@ncsa.uiuc.edu>

     There are three components in the Kerberos world: the kerberos
     client applications (e.g. kinit, telnet, pop), the server
     applications (e.g. telnetd, popper), and the Kerberos KDC. Each
     pair has different types of traffic that go between them.
     Depending on the pair of components your firewall is between, you
     will need to allow different types of traffic through your
     firewall.

     The notation 'xxxx/udp' or 'xxxx/tcp' below refers to a ephemeral
     port number (>1024). This refers to a return port that is assigned
     by the system. The only assumption you can make about the port
     number is that it will be greater than 1024.

     Between a client program and the KDC, your firewall may need to
     allow traffic on the following ports/protocols:

                   Client Application                To KDC  Return traffic

      Initial ticket request (i.e. kinit)           88/udp   xxxx/udp

      Kerberos 5-to-4 ticket conversion             4444/udp xxxx/udp

      Changing password (kpasswd under unix)        749/tcp  xxxx/tcp

      Changing password (under windows, old
      interface)                                    464/tcp  xxxx/tcp

      Changing password (under windows, new
      interface)                                    464/udp  xxxx/udp

      Running kadmin (also requires initial
      ticket, 88/udp)                               749/tcp  xxxx/tcp

     Between an application server and the KDC, your firewall may need
     to allow traffic on the following ports/protocols:

              Application Server           To KDC  Return traffic

      Initial ticket request (i.e. kinit) 88/udp   xxxx/udp

      Kerberos 5-to-4 ticket conversion   4444/udp xxxx/udp

     Between an client program and an application server, your firewall
     may need to allow traffic on the following ports/protocols:

         Application program/server       To server          To client

      rlogin/rlogind (w/o encryption) 543/tcp            xxxx/tcp

      rlogin/rlogind (w/encryption)   2105/tcp           xxxx/tcp

      rsh/rshd                        544/tcp            xxxx/tcp

      pop/popper                      1109/tcp           xxxx/tcp

      telnet/telnetd                  Same as non-kerberized
                                      telnet/telnetd

      ftp/ftpd                        Same as non-kerberized ftp/ftpd

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

Archived related questions and answers

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
Ken Hornstein <kenh@cmf.nrl.navy.mil>

Last Update March 27 2014 @ 02:11 PM

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 3.11. I need to use Kerberos through a firewall. What does my firewall administrator need to do?

Search the FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 3.11. I need to use Kerberos through a firewall. What does my firewall administrator need to do?

User Contributions:

Comment about this article, ask questions, or add new information about this topic: