Bug in Kerberized telnet??
John Hascall
john at iastate.edu
Tue Jul 6 13:05:40 EDT 2004
Some (better, I'd say) telnet implementations
don't initiate any telnet option processing
if you specify a (non-standard) port# so
you *can* use it to test other tcp-based
protocols. Looks like this was doesn't
(but perhaps it has an option to do so).
John
> On Jul 6, 2004, at 11:24, Carretti Enrico wrote:
>
> > Hi all, I'd like to submit you a problem: I've configured kerberos
> > properly on
> > a machine; I've done all the necessary configuration and I can locally
> > perform
> > "kerberized" telnet sessions, in fact I've replaced the UNIX daemon
> > with the
> > kerberized one. On the same machine I've also installed Apache,
> > becouse in my
> > plan I have to let Apache and Kerberos "talk" (with mod_auth_kerb). The
> > configuration of the web server is fine, in fact I point my browser on
> > the
> > port 80 and I can see the default page of Apache. See that Apache and
> > Kerberos
> > are NOT YET in communication! The problem comes now: I want to test the
> > correct installation of Apache simulating an HTTP session with telnet
> > (using
> > the kerberized version of client and server, of course) and I perform:
>
> I think you're a bit confused about how Kerberos authentication is
> performed. It's not a single specific exchange stuck on the front of
> every application protocol. In the Telnet protocol, there's an
> exchange built in to say "I want to do authentication", "these are the
> methods I support", "here's the data". The HTTP protocol has hooks for
> authentication too, and a way of using Kerberos within that framework,
> but they aren't the same as for telnet.
>
>
> > $ telnet -a <my.machine> 80
> > GET / HTTP/1.1
> > Host: <my.machine>
> >
> > but Apache returns an error, the 501 (i.e. Method not implemented).
> > This is
> > quite strange but comes clearer if I look to error.log, where I have
> >
> > [...] "\xff\xfb%GET / HTTP/1.0" 501 304
> >
> > This means that before GET there are some other characters ( \xff\xfb%
> > ), as
> > you see not written by me, that make the request fail. Trying with a
> > non
> > kerberized client to preform the same process I get a correct answer
> > by the
> > server.
>
> That's the telnet protocol sequence "IAC WILL AUTHENTICATE". If it got
> a proper telnet-protocol response saying the server supported it, it
> might follow up with the Kerberos credentials. But the web server
> expects a different means to be used to incorporate the authentication
> data from the client.
>
> Look at the RFCs for the two protocols and you'll see each specifies
> how to do authentication.
>
> > Now the final question: those strange characters before GET are
> > something like
> > the end of the stream of the negotiation with the kerberized telnet
> > server put
> > there for error??
>
> Close. It's the telnet-protocol offer to do authentication. Since the
> server doesn't answer that offer, the authentication isn't actually
> done.
>
> As far as I know, you can't use telnet to test the Kerberos support in
> Apache. (Well, not by itself. If you wrote a helper application to
> get the tickets and format the authentication header to send to the
> server, you could cut and paste it into the telnet session.)
>
> Ken
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list