Port 750: Kerberos-IV — The Authentication Protocol That Used the Wrong Port

The Accidental Assignment

Port 750 sits in the well-known port range (0-1023), where the Internet Assigned Numbers Authority (IANA) officially assigns ports to specific services. But port 750's story is stranger than most: it became associated with Kerberos version 4 authentication despite never being officially assigned to Kerberos.¹

The port was supposed to be reserved for rfile and loadav services. Nobody noticed the mistake until preparations for the Kerberos v5 RFC began, and someone finally checked the official port assignments.²

By then, Kerberos v4 had been using port 750 for years. Servers were deployed. Firewalls were configured. The protocol was embedded in AFS (Andrew File System) cells across universities and enterprises. You can't just tell everyone they've been using the wrong port.

What Kerberos Does

Kerberos is a network authentication protocol that lets users prove their identity without sending passwords across the network. Instead of transmitting credentials in plaintext, Kerberos uses a ticket-based system: you authenticate once to a central server (the Key Distribution Center), and it issues you tickets that prove your identity to other services.

It's named after Cerberus, the three-headed dog that guards the underworld in Greek mythology. The three heads represent the client, the server, and the trusted third party (the KDC) that vouches for both.

Kerberos v4, running on port 750, was foundational in bringing secure authentication to networked systems in the 1980s and 1990s.

The Migration Problem

When the port assignment error was discovered, the solution seemed simple: assign Kerberos a proper port (88 was chosen) and migrate everyone over.³

But migration is never simple. The plan required Kerberos KDCs to listen on both the old port (750) and the new port (88), giving clients time to update their configurations.⁴ For Kerberos v5, this worked. For Kerberos v4, it was messier—there were deployed servers everywhere, especially in AFS environments, and many couldn't easily update.

Even today, some legacy systems still send authentication requests to port 750, decades into what was supposed to be a temporary transition period.

Why Kerberos v4 Was Replaced

Beyond the port number confusion, Kerberos v4 had real security problems. It relied on older encryption algorithms that became vulnerable as computing power increased. It lacked support for modern cryptographic practices. Security researchers found flaws in the protocol itself.⁵

Kerberos v5, standardized in the 1990s, addressed these issues with stronger encryption, better extensibility, and proper IANA port assignment (port 88). The recommendation became clear: don't expose Kerberos v4 to the Internet, and migrate to v5 as soon as possible.⁶

Current Status

Port 750 is largely quiet now. Kerberos v5 uses port 88. Most organizations have migrated away from v4. But in some corners of the Internet—legacy AFS cells, old university networks, systems that haven't been touched in twenty years—port 750 still carries authentication traffic.

If you're configuring a firewall and need to support Kerberos v4 KDCs, you may still need to allow TCP and UDP on port 750.⁷ But you shouldn't want to. Kerberos v4 is deprecated, vulnerable, and belongs to history.

Checking What's Listening

To see if anything on your system is listening on port 750:

# Linux/macOS
sudo lsof -i :750
sudo netstat -tulpn | grep :750

# Windows
netstat -ano | findstr :750

If you find something listening here, you've probably discovered a legacy Kerberos v4 installation that should have been retired years ago.

What Port 750 Teaches Us

Port 750's story reveals how the Internet actually evolves. Protocols get deployed before documentation catches up. Mistakes get baked into infrastructure. The "proper" way conflicts with the deployed reality, and deployed reality usually wins—at least for a while.

The well-known port range (0-1023) was supposed to bring order to network services through central assignment. But order is aspirational. The real Internet is full of ports that do things they were never officially assigned to do, migrations that took decades longer than planned, and legacy systems still talking to ports they were supposed to abandon before you were born.

Port 750 is a reminder that protocols are made by humans, assigned by committees, and deployed into a messy world where nobody reads the documentation until it's too late.