Problems with kerberized telnetd and telnet - progress! (fwd)
John Hascall
john at iastate.edu
Tue Jan 14 16:40:32 EST 2003
Whose telnetd and login are you using?
I can see that telnetd is receiving your forwarded tickets
(and if this is that telnetd that comes with krb5 it is
putting them in a ticket file and setting KRB5CCNAME)
Then, depending on how you compiled it, it should hopefully
be passing '-f' or '-F' to login to tell it what's up.
Your login can then decide to honor/not-honor these
forwarded credentials (probably through the krb5_kuserok
function).
John
> Hi,
>
> Actually, on rereading the stuff I pasted below, I realized that
> my local password _hadnt_ worked. So I tried things again, and here is
> what I now get :
>
> ken at sid:~$ USER=y2kmvs at ebiz.austin.ibm.com telnet -axF -k ebiz.austin.ibm.com
ebiz.austin.ibm.com
> Trying A.B.C.D...
> Connected to ebiz.austin.ibm.com (A.B.C.D).
> Escape character is '^]'. <telnet
> Waiting for encryption to be negotiated... <telnet
> [ Kerberos V5 accepts you as ``y2kmvs at ebiz.austin.ibm.com'' ] <telnet
> [ Kerberos V5 accepted forwarded credentials ] <telnet
> done. <telnet
> Password for y2kmvs at ebiz.austin.ibm.com: <???
> Login incorrect <???
> login: y2kmvs <login
> Password for y2kmvs: <login
> Last login: Tue Jan 14 15:15:21 from kenneth.austin.ibm.com < :
> login/v4: Cannot contact any KDC for requested realm converting to V4 credent
ials
> y2kmvs at ebiz.austin.ibm.com: Internal credentials cache error when initializin
g cache
> Linux ebiz.austin.ibm.com 2.2.20 #2 Fri Dec 7 18:28:51 CST 2001 i586 unknown
>
> This time, the DCE password didnt work at the "Password for
> y2kmvs at ..." prompt, but worked three lines down. Again, any ideas?
>
> Thanks,
> Kenneth
>
> ---------- Forwarded message ----------
> Date: Tue, 14 Jan 2003 15:18:34 -0600 (CST)
> From: Kenneth Stephen <y2kmvs at ebiz.austin.ibm.com>
> To: Ken Hornstein <kenh at cmf.nrl.navy.mil>
> Cc: kerberos at mit.edu
> Subject: Re: Problems with kerberized telnetd and telnet - progress!
>
>
>
> On Tue, 14 Jan 2003, Ken Hornstein wrote:
>
> >
> > >[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed:
Decrypt integrity check failed ]
> >
> > This means, essentially, "Password incorrect", and that means that the
> > password (key) in your keytab doesn't match the one stored in your KDC
> > for this principal. You'll have to get them in sync somehow (I don't
> > really know that much about DCE to help you).
> >
> Ken,
>
> Even though I couldnt believe that the password was incorrect (I
> had carefully typed in the passwords on the DCE and Kerberos side), I
> check my assumptions and found out that you were correct. Here is what I
> get now :
>
> ken at sid:~$ kinit y2kmvs at ebiz.austin.ibm.com
> Password for y2kmvs at ebiz.austin.ibm.com:
> ken at sid:~$ USER=y2kmvs at ebiz.austin.ibm.com telnet -axF -k ebiz.austin.ibm.com
ebiz.austin.ibm.com
> Trying A.B.C.D.
> Connected to ebiz.austin.ibm.com (A.B.C.D).
> Escape character is '^]'.
> Waiting for encryption to be negotiated...
> [ Kerberos V5 accepts you as ``y2kmvs at ebiz.austin.ibm.com'' ]
> [ Kerberos V5 accepted forwarded credentials ]
> done.
> Password for y2kmvs at ebiz.austin.ibm.com:
> Login incorrect
> login: y2kmvs
> Password for y2kmvs:
> y2kmvs: Kerberos password incorrect
> Kerberos error: Can't send request (send_to_kdc)
> Last login: Tue Jan 14 13:46:44 from kenneth.austin.ibm.com
> login/v4: Cannot contact any KDC for requested realm converting to V4 credent
ials
> Linux ebiz.austin.ibm.com 2.2.20 #2 Fri Dec 7 18:28:51 CST 2001 i586 unknown
>
>
> Actually, I wasnt expecting a password prompt at all. Furthermore,
> the password that finally worked isnt the DCE/Kerberos password but the
> local password for the id y2kmvs. Any ideas as to what gives?
>
> Thanks,
> Kenneth
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list