Problems with kerberized telnetd and telnet (fwd)

Kenneth Stephen y2kmvs at ebiz.austin.ibm.com
Tue Jan 14 14:48:41 EST 2003 

---------- Forwarded message ----------
Date: Mon, 13 Jan 2003 22:31:24 -0600 (CST)
From: Kenneth Stephen <y2kmvs at ebiz.austin.ibm.com>
To: John Hascall <john at iastate.edu>
Cc: kerberos at mit.edu
Subject: Re: Problems with kerberized telnetd and telnet



On Mon, 13 Jan 2003, John Hascall wrote:

>
>
> First, do:  klist -f
> to make sure your TGT has the forwardable flag set,
> like this:
>
> % klist -f
> Ticket cache: FILE:/var/dss/kerberos/tkt/v5_3e22df980e8a53
> Default principal: john at IASTATE.EDU
>
> Valid starting     Expires            Service principal
> 01/13/03 14:07:19  01/20/03 14:07:19  krbtgt/IASTATE.EDU at IASTATE.EDU
>         Flags: FI
>
>     ...K4 tickets omitted here...
>
> then do:
>
>     telnet -axF ebiz.austin.ibm.com
>
> (-a = auth, -x = encrypt) [I doubt you need the -k realm
>                            if things are properly setup]
>
John,

	Thanks for the quick reply. I did make some progress with the
options that you specified and now when I do the telnet, I can see that I
acquire a ticket for the telnet server host. However, it all goes to
pieces after that. I need to investigate further as to what is happening
before I post again on this matter.

Hi,

	I did some thinking about my problems with keytab formats (see
other post on this list) and decided that this wasnt going to be a problem
for me as I didnt need DCE and Kerberos clients on the same machine. So I
used ktutil to manually add a keytab entry. Here is what I tried :

ktutil: addent -password -p host/ebiz.austin.ibm.com -k 2 -e des-cbc-md5

	The -k flag was given a value of 2 because I assume that this is
the version number of the password in the keytab file and that was the
version in the DCE keytab file. I dont think the two version numbers have
to match, but I was playing safe. The -e flag value was pulled out of thin
air. I had no idea what to put there. Looking at the source code, I saw
that in etypes.c, this was one of the ciphers mentioned so I picked that.
Here is what I now get :

ken at sid:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: y2kmvs at ebiz.austin.ibm.com

Valid starting     Expires            Service principal
01/14/03 09:48:11  01/14/03 19:47:32  krbtgt/ebiz.austin.ibm.com at ebiz.austin.ibm.com
        Flags: FIA
01/14/03 09:48:28  01/14/03 19:47:32  host/ebiz.austin.ibm.com at ebiz.austin.ibm.com
        Flags: FA


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
ken at sid:~$ telnet -axF -k ebiz.austin.ibm.com ebiz.austin.ibm.com
Trying A.B.C.D
Connected to ebiz.austin.ibm.com (A.B.C.D).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Decrypt integrity check failed ]
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Decrypt integrity check failed ]
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Decrypt integrity check failed ]
[ Trying KERBEROS4 ... ]
mk_req failed: You have no tickets cached
[ Trying KERBEROS4 ... ]
mk_req failed: You have no tickets cached

Authentication negotation has failed, which is required for
encryption.  Good bye.

	Any ideas? Also, what the heck does the 'A' flag for the tickets
specify - the klist manpage doesnt mention this at all.

Thanks,
Kenneth

More information about the Kerberos mailing list