What is the proper way to force kerberos to TCP?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

What is the proper way to force kerberos to TCP?

Todd Grayson
Hi,

We are seeing a number of conflicting information sets on how to properly
force TCP by kerberos clients in CentOS/RH OS distributions.

udp_preference_limit =0? 1?

Or is there some other flag that is reliable to be setting here?

--
Todd Grayson
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: What is the proper way to force kerberos to TCP?

Greg Hudson
On 10/3/19 11:11 AM, Todd Grayson wrote:
> We are seeing a number of conflicting information sets on how to properly
> force TCP by kerberos clients in CentOS/RH OS distributions.
>
> udp_preference_limit =0? 1?

By my reading of the code, either should work (0 is not treated as a
special value, but of course no messages will be a single byte, so 1
should work as well).  I don't believe there are any other ways to force
a TCP preference (or to disable UDP) using krb5.conf alone.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: What is the proper way to force kerberos to TCP?

Todd Grayson
thanks!

On Thu, Oct 3, 2019 at 9:41 AM Greg Hudson <[hidden email]> wrote:

> On 10/3/19 11:11 AM, Todd Grayson wrote:
> > We are seeing a number of conflicting information sets on how to properly
> > force TCP by kerberos clients in CentOS/RH OS distributions.
> >
> > udp_preference_limit =0? 1?
>
> By my reading of the code, either should work (0 is not treated as a
> special value, but of course no messages will be a single byte, so 1
> should work as well).  I don't believe there are any other ways to force
> a TCP preference (or to disable UDP) using krb5.conf alone.
>


--
Todd Grayson
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos