Problems with kerberized telnetd and telnet - progress! (fwd)

John Hascall john at iastate.edu
Tue Jan 14 16:40:32 EST 2003


Whose telnetd and login are you using?

I can see that telnetd is receiving your forwarded tickets
(and if this is that telnetd that comes with krb5 it is
putting them in a ticket file and setting KRB5CCNAME)
Then, depending on how you compiled it, it should hopefully
be passing '-f' or '-F' to login to tell it what's up.
Your login can then decide to honor/not-honor these
forwarded credentials (probably through the krb5_kuserok
function).

John

> Hi,
> 
> 	Actually, on rereading the stuff I pasted below, I realized that
> my local password _hadnt_ worked. So I tried things again, and here is
> what I now get :
> 
> ken at sid:~$ USER=y2kmvs at ebiz.austin.ibm.com telnet -axF -k ebiz.austin.ibm.com
 ebiz.austin.ibm.com
> Trying A.B.C.D...
> Connected to ebiz.austin.ibm.com (A.B.C.D).
> Escape character is '^]'.                                       <telnet
> Waiting for encryption to be negotiated...                      <telnet
> [ Kerberos V5 accepts you as ``y2kmvs at ebiz.austin.ibm.com'' ]   <telnet
> [ Kerberos V5 accepted forwarded credentials ]                  <telnet
> done.                                                           <telnet
> Password for y2kmvs at ebiz.austin.ibm.com:                        <???
> Login incorrect                                                 <???
> login: y2kmvs                                                   <login
> Password for y2kmvs:                                            <login
> Last login: Tue Jan 14 15:15:21 from kenneth.austin.ibm.com     <  :
> login/v4: Cannot contact any KDC for requested realm converting to V4 credent
ials
> y2kmvs at ebiz.austin.ibm.com: Internal credentials cache error when initializin
g cache
> Linux ebiz.austin.ibm.com 2.2.20 #2 Fri Dec 7 18:28:51 CST 2001 i586 unknown
> 
> 	This time, the DCE password didnt work at the "Password for
> y2kmvs at ..." prompt, but worked three lines down. Again, any ideas?
> 
> Thanks,
> Kenneth
> 
> ---------- Forwarded message ----------
> Date: Tue, 14 Jan 2003 15:18:34 -0600 (CST)
> From: Kenneth Stephen <y2kmvs at ebiz.austin.ibm.com>
> To: Ken Hornstein <kenh at cmf.nrl.navy.mil>
> Cc: kerberos at mit.edu
> Subject: Re: Problems with kerberized telnetd and telnet - progress!
> 
> 
> 
> On Tue, 14 Jan 2003, Ken Hornstein wrote:
> 
> >
> > >[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: 
Decrypt integrity check failed ]
> >
> > This means, essentially, "Password incorrect", and that means that the
> > password (key) in your keytab doesn't match the one stored in your KDC
> > for this principal.  You'll have to get them in sync somehow (I don't
> > really know that much about DCE to help you).
> >
> Ken,
> 
> 	Even though I couldnt believe that the password was incorrect (I
> had carefully typed in the passwords on the DCE and Kerberos side), I
> check my assumptions and found out that you were correct. Here is what I
> get now :
> 
> ken at sid:~$ kinit y2kmvs at ebiz.austin.ibm.com
> Password for y2kmvs at ebiz.austin.ibm.com:
> ken at sid:~$ USER=y2kmvs at ebiz.austin.ibm.com telnet -axF -k ebiz.austin.ibm.com
 ebiz.austin.ibm.com
> Trying A.B.C.D.
> Connected to ebiz.austin.ibm.com (A.B.C.D).
> Escape character is '^]'.
> Waiting for encryption to be negotiated...
> [ Kerberos V5 accepts you as ``y2kmvs at ebiz.austin.ibm.com'' ]
> [ Kerberos V5 accepted forwarded credentials ]
> done.
> Password for y2kmvs at ebiz.austin.ibm.com:
> Login incorrect
> login: y2kmvs
> Password for y2kmvs:
> y2kmvs: Kerberos password incorrect
> Kerberos error: Can't send request (send_to_kdc)
> Last login: Tue Jan 14 13:46:44 from kenneth.austin.ibm.com
> login/v4: Cannot contact any KDC for requested realm converting to V4 credent
ials
> Linux ebiz.austin.ibm.com 2.2.20 #2 Fri Dec 7 18:28:51 CST 2001 i586 unknown
> 
> 
> 	Actually, I wasnt expecting a password prompt at all. Furthermore,
> the password that finally worked isnt the DCE/Kerberos password but the
> local password for the id y2kmvs. Any ideas as to what gives?
> 
> Thanks,
> Kenneth
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
> 





More information about the Kerberos mailing list