Problems with kerberized telnetd and telnet (fwd)
Kenneth Stephen
y2kmvs at ebiz.austin.ibm.com
Tue Jan 14 14:48:41 EST 2003
---------- Forwarded message ----------
Date: Mon, 13 Jan 2003 22:31:24 -0600 (CST)
From: Kenneth Stephen <y2kmvs at ebiz.austin.ibm.com>
To: John Hascall <john at iastate.edu>
Cc: kerberos at mit.edu
Subject: Re: Problems with kerberized telnetd and telnet
On Mon, 13 Jan 2003, John Hascall wrote:
>
>
> First, do: klist -f
> to make sure your TGT has the forwardable flag set,
> like this:
>
> % klist -f
> Ticket cache: FILE:/var/dss/kerberos/tkt/v5_3e22df980e8a53
> Default principal: john at IASTATE.EDU
>
> Valid starting Expires Service principal
> 01/13/03 14:07:19 01/20/03 14:07:19 krbtgt/IASTATE.EDU at IASTATE.EDU
> Flags: FI
>
> ...K4 tickets omitted here...
>
> then do:
>
> telnet -axF ebiz.austin.ibm.com
>
> (-a = auth, -x = encrypt) [I doubt you need the -k realm
> if things are properly setup]
>
John,
Thanks for the quick reply. I did make some progress with the
options that you specified and now when I do the telnet, I can see that I
acquire a ticket for the telnet server host. However, it all goes to
pieces after that. I need to investigate further as to what is happening
before I post again on this matter.
Hi,
I did some thinking about my problems with keytab formats (see
other post on this list) and decided that this wasnt going to be a problem
for me as I didnt need DCE and Kerberos clients on the same machine. So I
used ktutil to manually add a keytab entry. Here is what I tried :
ktutil: addent -password -p host/ebiz.austin.ibm.com -k 2 -e des-cbc-md5
The -k flag was given a value of 2 because I assume that this is
the version number of the password in the keytab file and that was the
version in the DCE keytab file. I dont think the two version numbers have
to match, but I was playing safe. The -e flag value was pulled out of thin
air. I had no idea what to put there. Looking at the source code, I saw
that in etypes.c, this was one of the ciphers mentioned so I picked that.
Here is what I now get :
ken at sid:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: y2kmvs at ebiz.austin.ibm.com
Valid starting Expires Service principal
01/14/03 09:48:11 01/14/03 19:47:32 krbtgt/ebiz.austin.ibm.com at ebiz.austin.ibm.com
Flags: FIA
01/14/03 09:48:28 01/14/03 19:47:32 host/ebiz.austin.ibm.com at ebiz.austin.ibm.com
Flags: FA
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
ken at sid:~$ telnet -axF -k ebiz.austin.ibm.com ebiz.austin.ibm.com
Trying A.B.C.D
Connected to ebiz.austin.ibm.com (A.B.C.D).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Decrypt integrity check failed ]
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Decrypt integrity check failed ]
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Decrypt integrity check failed ]
[ Trying KERBEROS4 ... ]
mk_req failed: You have no tickets cached
[ Trying KERBEROS4 ... ]
mk_req failed: You have no tickets cached
Authentication negotation has failed, which is required for
encryption. Good bye.
Any ideas? Also, what the heck does the 'A' flag for the tickets
specify - the klist manpage doesnt mention this at all.
Thanks,
Kenneth
More information about the Kerberos
mailing list