Problems using Kerberos telnet

Someone please at nospam.net
Thu Mar 21 11:28:46 EST 2002


Wyllys Ingersoll wrote:

> 
> The authentication exchange itself is failing, .k5login doesnt come into
> play until after you have already authenticated successfully.
> 
> Try turning on the debugging output for options, encryption, and
> authentication in the telnet client:
> 
> $ telnet -a -x
> telnet> set enc
> telnet> set opt
> telnet> set auth
> telnet> set debug
> telnet> o <hostname>
> ...
> 
> This will display the exchange of options and show debug output for the
> client when trying to connect.
> 
> Also, check your KDC log file to see if there is anything useful being
> logged by the KDC.
> 
> You could also run the server in debug mode as well (telnetd -a debug)
> 
> -wyllys
> 
> 
> Someone wrote:
> 
>> Srinivas Cheruku wrote:
>>
>>> In the users home directory create a .k5login file with the principal 
>>> name
>>> you are using to login.
>>> $more .k5login
>>> user at REALM.COM
>>>
>>> Good Luck
>>>
>>> -----Original Message-----
>>> From: Someone [mailto:please at nospam.net]
>>> Sent: Thursday, March 21, 2002 6:30 PM
>>> To: kerberos at mit.edu
>>> Subject: Re: Problems using Kerberos telnet
>>>
>>>
>>> Marcio d'Avila Scheibler wrote:
>>>
>>>
>>>>> Hello, I am using MIT kerberos v1.2.3 on a Linux machine, I have 
>>>>> activated the kerberized telnet daemon in inetd.conf like that:
>>>>>
>>>>> telnet  stream  tcp     nowait  root    /usr/sbin/tcpd 
>>>>> /usr/local/sbin/telnetd -a valid
>>>>>
>>>>>
>>>>> And then I am using the kerberized telnet client to login to my 
>>>>> host (to test) but I cannot, see the following output:
>>>>>
>>>>>
>>>>>> telnet localhost
>>>>>>
>>>>> Trying 127.0.0.1...
>>>>> Connected to localhost (127.0.0.1).
>>>>> Escape character is '^]'.
>>>>> telnetd: No authentication provided.
>>>>> Connection closed by foreign host.
>>>>>
>>>>> Do I need to do anything special ? I have received a ticket from my 
>>>>> KDC and that host has a keytab file.
>>>>>
>>>>>
>>>>>
>>>> Is it a forwardable ticket (kinit -f) ?
>>>>
>>>>
>>>>
>>>
>>> No it wasn't so I did a kinit -f and then tryed the following:
>>>
>>> $./telnet -a localhost
>>> Trying 127.0.0.1...
>>> Connected to localhost (127.0.0.1).
>>> Escape character is '^]'.
>>> telnetd: Authorization failed.
>>> Connection closed by foreign host.
>>>
>>>
>>> So now I get the error message: authorization failed, what could be 
>>> the problem ?
>>>
>>> Regards
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> http://mailman.mit.edu/mailman/listinfo/kerberos
>>> *********************************************************************
>>> Disclaimer: The information in this e-mail and any attachments is
>>> confidential / privileged. It is intended solely for the addressee or
>>> addressees. If you are not the addressee indicated in this message, 
>>> you may
>>> not copy or deliver this message to anyone. In such case, you should 
>>> destroy
>>> this message and kindly notify the sender by reply email. Please advise
>>> immediately if you or your employer does not consent to Internet 
>>> email for
>>> messages of this kind.
>>> *********************************************************************
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> http://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>
>> I added my account to my home dir's file .k5login still doesn't work. 
>> Any ideas what else it could be ?
>>
>> Regards
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
> 



Thanks for those debugging tips here is the output of the debugging with 
the kerberized telnet client:


$ telnet -a -x
telnet> set enc
Encryption debugging enabled
telnet> set opt
Will show option processing.
telnet> set auth
auth debugging enabled
telnet> set debug
Will turn on socket level debugging.
telnet> o tonostix
Trying X.X.X.X...
setsockopt (SO_DEBUG): Permission denied
Connected to hostname.domain.com (X.X.X.X).
Escape character is '^]'.
 >>>TELNET: I support auth type 2 6
 >>>TELNET: I support auth type 2 2
 >>>TELNET: I support auth type 2 0
 >>>TELNET: I support auth type 1 2
 >>>TELNET: I support auth type 1 0
 >>>TELNET: I will support DES_CFB64
 >>>TELNET: I will support DES_OFB64
SENT WILL AUTHENTICATION
SENT DO ENCRYPT
SENT WILL ENCRYPT
SENT DO SUPPRESS GO AHEAD
SENT WILL TERMINAL TYPE
SENT WILL NAWS
SENT WILL TSPEED
SENT WILL LFLOW
SENT WILL LINEMODE
SENT WILL NEW-ENVIRON
SENT DO STATUS
SENT WILL XDISPLOC
Waiting for encryption to be negotiated...
RCVD DO AUTHENTICATION
RCVD IAC SB AUTHENTICATION SEND KERBEROS_V5 CLIENT|MUTUAL|ENCRYPT 
KERBEROS_V5 CLIENT|MUTUAL KERBEROS_V5 CLIENT|ONE-WAY
 >>>TELNET: auth_send got: 02 06 02 02 02 00
 >>>TELNET: He supports 2
 >>>TELNET: Trying 2 6
telnet: Kerberos V5: failure on credentials(Server not found in Kerberos 
database)
 >>>TELNET: He supports 2
 >>>TELNET: Trying 2 2
telnet: Kerberos V5: failure on credentials(Server not found in Kerberos 
database)
 >>>TELNET: He supports 2
 >>>TELNET: Trying 2 0
telnet: Kerberos V5: failure on credentials(Server not found in Kerberos 
database)
SENT IAC SB AUTHENTICATION IS NULL CLIENT|ONE-WAY
 >>>TELNET: Sent failure message
RCVD WILL ENCRYPT
SENT IAC SB ENCRYPT REQUEST-START
 >>>TELNET: Request input to be encrypted
SENT IAC SB ENCRYPT SUPPORT DES_CFB64 DES_OFB64
RCVD DO ENCRYPT
RCVD IAC SB ENCRYPT SUPPORT DES_CFB64 DES_OFB64
 >>>TELNET: He is supporting DES_CFB64 (1)
 >>>TELNET: He is supporting DES_OFB64 (2)
 >>>TELNET: (*ep->start)() returned 7
RCVD WILL SUPPRESS GO AHEAD
RCVD DO TERMINAL TYPE
RCVD DO NAWS
SENT IAC SB NAWS 0 150 (150) 0 47 (47)
RCVD DO TSPEED
RCVD DO LFLOW
RCVD DONT LINEMODE
RCVD DO NEW-ENVIRON
RCVD WILL STATUS
RCVD DO XDISPLOC

Authentication negotation has failed, which is required for
encryption.  Good bye.








More information about the Kerberos mailing list