Bug in Kerberized telnet??
Ken Raeburn
raeburn at MIT.EDU
Tue Jul 6 12:41:55 EDT 2004
On Jul 6, 2004, at 11:24, Carretti Enrico wrote:
> Hi all, I'd like to submit you a problem: I've configured kerberos
> properly on
> a machine; I've done all the necessary configuration and I can locally
> perform
> "kerberized" telnet sessions, in fact I've replaced the UNIX daemon
> with the
> kerberized one. On the same machine I've also installed Apache,
> becouse in my
> plan I have to let Apache and Kerberos "talk" (with mod_auth_kerb). The
> configuration of the web server is fine, in fact I point my browser on
> the
> port 80 and I can see the default page of Apache. See that Apache and
> Kerberos
> are NOT YET in communication! The problem comes now: I want to test the
> correct installation of Apache simulating an HTTP session with telnet
> (using
> the kerberized version of client and server, of course) and I perform:
I think you're a bit confused about how Kerberos authentication is
performed. It's not a single specific exchange stuck on the front of
every application protocol. In the Telnet protocol, there's an
exchange built in to say "I want to do authentication", "these are the
methods I support", "here's the data". The HTTP protocol has hooks for
authentication too, and a way of using Kerberos within that framework,
but they aren't the same as for telnet.
> $ telnet -a <my.machine> 80
> GET / HTTP/1.1
> Host: <my.machine>
>
> but Apache returns an error, the 501 (i.e. Method not implemented).
> This is
> quite strange but comes clearer if I look to error.log, where I have
>
> [...] "\xff\xfb%GET / HTTP/1.0" 501 304
>
> This means that before GET there are some other characters ( \xff\xfb%
> ), as
> you see not written by me, that make the request fail. Trying with a
> non
> kerberized client to preform the same process I get a correct answer
> by the
> server.
That's the telnet protocol sequence "IAC WILL AUTHENTICATE". If it got
a proper telnet-protocol response saying the server supported it, it
might follow up with the Kerberos credentials. But the web server
expects a different means to be used to incorporate the authentication
data from the client.
Look at the RFCs for the two protocols and you'll see each specifies
how to do authentication.
> Now the final question: those strange characters before GET are
> something like
> the end of the stream of the negotiation with the kerberized telnet
> server put
> there for error??
Close. It's the telnet-protocol offer to do authentication. Since the
server doesn't answer that offer, the authentication isn't actually
done.
As far as I know, you can't use telnet to test the Kerberos support in
Apache. (Well, not by itself. If you wrote a helper application to
get the tickets and format the authentication header to send to the
server, you could cut and paste it into the telnet session.)
Ken
More information about the Kerberos
mailing list