Port 65: TACACS-DS — The Database Behind the Door

Port 65 is registered with IANA as tacacs-ds, the TACACS Database Service¹. It is the backend half of one of the oldest authentication systems ever built for a computer network.

If you have ever logged into a router, a switch, or a network device and been asked for a username and password, you are using a descendant of the system that port 65 once served.

What TACACS-DS Does

TACACS, the Terminal Access Controller Access-Control System, is a protocol family that handles remote authentication for network access control². The main TACACS protocol runs on port 49 and handles the conversation between a network device and an authentication server: "Here is a username and password. Is this person allowed in?"

Port 65 handled the other half. The TACACS Database Service was the backend lookup layer, the service responsible for querying the actual database of authorized users and returning the answer. Port 49 was the face. Port 65 was the filing cabinet.

Both TCP and UDP are registered for port 65¹.

The ARPANET Origins

TACACS was born in 1984 at BBN Technologies (Bolt, Beranek and Newman), the company that had built the original ARPANET². Brian Anderson first described the protocol in RFC 927³, and a team including Greg Ruth, Peter Ditmars, Sharon Eisner, and John Delsignore documented the full system in BBN Tech Memo CC-0045⁴.

The problem they were solving was concrete. The ARPANET had two types of routing nodes: IMPs that connected dedicated lines, and TIPs (Terminal Interface Processors) that accepted dial-up connections. Anyone with a modem and a phone line could dial into a TIP. The military wanted to control who got in⁴.

So TACACS was invented. A TIP would accept a username and password from a dial-up user, send a query to a TACACS daemon running on a server, and either grant or deny access based on the response⁴. The system split the work: port 49 carried the authentication conversation, and port 65 carried the database queries that resolved those conversations into answers.

How It Works

The architecture is straightforward:

1. A user dials into a network device (originally a TIP, later a router)
2. The device sends credentials to the TACACS server on port 49
3. The TACACS server queries its credential database via port 65
4. The database service returns whether the user exists and is authorized
5. The TACACS server sends an accept or deny response back to the device

The separation of the protocol layer (port 49) from the database layer (port 65) was an early example of what we now call separation of concerns. The authentication logic and the credential storage were deliberately decoupled.

The Quiet Obsolescence

Port 65 faded from active use decades ago. Here is what happened:

Cisco Systems began supporting TACACS in the late 1980s and extended it into Extended TACACS (XTACACS) in 1990². Then in 1993, Cisco released TACACS+, an entirely new protocol that was not backward-compatible with the original TACACS². TACACS+ consolidated everything onto port 49 using TCP, eliminating the need for a separate database service port⁵.

Craig Finseth of the University of Minnesota documented the original protocols in RFC 1492 in 1993⁴, but by then TACACS+ had already made the original architecture obsolete. The final nail: RFC 8907 formalized TACACS+ as the modern standard, running entirely on port 49⁵.

Port 65 was left behind. Not removed from the IANA registry, just no longer needed.

Security Considerations

The original TACACS protocol, and by extension the database service on port 65, transmitted credentials in cleartext⁴. Every username, every password, readable by anyone who could see the packets. This was considered acceptable in 1984 on a military network with controlled physical access. It is not acceptable anywhere today.

If you see traffic on port 65, treat it with suspicion. No modern system should be using the original TACACS database service. Unexpected activity on this port could indicate misconfigured legacy equipment or, more likely, something using the port for purposes unrelated to TACACS.

How to Check What Is Listening on Port 65

# macOS / Linux
sudo lsof -i :65
netstat -an | grep ':65 '

# Windows
netstat -an | findstr ":65 "

# Nmap scan
nmap -p 65 <target-ip>

Finding something listening on port 65 in a modern network is unusual. Investigate before assuming it is benign.

The Port's Place in History

Port 65 belongs to the well-known port range (0 through 1023), which requires IETF Review or IESG Approval for assignment¹. It sits in distinguished company. Its neighbor port 49 still carries authentication traffic for thousands of network devices worldwide via TACACS+.

Port 65 itself carries nothing anymore. But the question it was built to answer, "Is this person allowed in?", is asked billions of times a day across every network on Earth. The architecture changed. The question never did.