Bug in Kerberized telnet??

Ken Raeburn raeburn at MIT.EDU
Tue Jul 6 12:41:55 EDT 2004 

On Jul 6, 2004, at 11:24, Carretti Enrico wrote:

> Hi all, I'd like to submit you a problem: I've configured kerberos 
> properly on
> a machine; I've done all the necessary configuration and I can locally 
> perform
> "kerberized" telnet sessions, in fact I've replaced the UNIX daemon 
> with the
> kerberized one. On the same machine I've also installed Apache, 
> becouse in my
> plan I have to let Apache and Kerberos "talk" (with mod_auth_kerb). The
> configuration of the web server is fine, in fact I point my browser on 
> the
> port 80 and I can see the default page of Apache. See that Apache and 
> Kerberos
> are NOT YET in communication! The problem comes now: I want to test the
> correct installation of Apache simulating an HTTP session with telnet 
> (using
> the kerberized version of client and server, of course) and I perform:

I think you're a bit confused about how Kerberos authentication is 
performed.  It's not a single specific exchange stuck on the front of 
every application protocol.  In the Telnet protocol, there's an 
exchange built in to say "I want to do authentication", "these are the 
methods I support", "here's the data".  The HTTP protocol has hooks for 
authentication too, and a way of using Kerberos within that framework, 
but they aren't the same as for telnet.


> $ telnet -a <my.machine> 80
> GET / HTTP/1.1
> Host: <my.machine>
>
> but Apache returns an error, the 501 (i.e. Method not implemented). 
> This is
> quite strange but comes clearer if I look to error.log, where I have
>
> [...] "\xff\xfb%GET / HTTP/1.0" 501 304
>
> This means that before GET there are some other characters ( \xff\xfb% 
> ), as
> you see not written by me, that make the request fail. Trying with a 
> non
> kerberized client to preform the same process I get a correct answer 
> by the
> server.

That's the telnet protocol sequence "IAC WILL AUTHENTICATE".  If it got 
a proper telnet-protocol response saying the server supported it, it 
might follow up with the Kerberos credentials.  But the web server 
expects a different means to be used to incorporate the authentication 
data from the client.

Look at the RFCs for the two protocols and you'll see each specifies 
how to do authentication.

> Now the final question: those strange characters before GET are 
> something like
> the end of the stream of the negotiation with the kerberized telnet 
> server put
> there for error??

Close.  It's the telnet-protocol offer to do authentication.  Since the 
server doesn't answer that offer, the authentication isn't actually 
done.

As far as I know, you can't use telnet to test the Kerberos support in 
Apache.  (Well, not by itself.  If you wrote a helper application to 
get the tickets and format the authentication header to send to the 
server, you could cut and paste it into the telnet session.)

Ken

More information about the Kerberos mailing list