Kerberized telnetd: -a valid option & eight char limit on account names

hwntw hwntw at
Fri Oct 22 05:48:23 EDT 2004

Jeffrey Altman <jaltman2 at> wrote in message news:<CrWdd.89918$Ot3.63537 at>...
> Which Microsoft telnet.exe are you using that supports Kerberos 5 
> authentication?  As far as I am aware, the Microsoft telnet.exe
> only supports NTLM.
> Jeffrey Altman
> ROSS, Colin wrote:
> > While testing use of the product VAS, I found that I could
> > not get the -a valid argument to telnetd to work. I had to regress to
> > the position of removing the -a valid argument from telnetd, whilst
> > using the -aFx arguments with the M$ telnet client. A pity because I
> > hoped to make telnet connections to my Solaris 9 Sparc box with needing
> > to supply account names and passwords. I am at the position of not
> > needing to supply account names right now.
> > I also found that using the telentd that came with the Kerberos 1.3.5 I
> > compiled left me with a problem arising from the use of long (> eight
> > char) account names. My own account works fine, since it is quite short.
> > Other users have been unable to telnet to the Solaris 9 box because
> > their login is stumped when the account is a long name. For example,
> > jonesj will work, but williamsmithf will not. This is a real pain as all
> > account names are managed in M$ Active Directory product and some of the
> > names are quite long (aren't people a bore, having such names).
> > My 
point is, how can I re-compile Kerberos/telnetd to build in support
> > for long account names? Secondly, what are the requisite steps I must
> > take to permit the -a valid argument to telnetd to work? Is this keytab
> > related?
> > Best
> > Colin
> > PS Thx again for the previous assist re. 64 bit kerberos compile- works
> > fine
> > 
> > Colin Ross
> > Readers & Technical Services Librarian
> > Library
> > House of Lords
> > London
> > SW1A 0PW
> > 
> > 0207 219 2511
> > 
> > --------------------------------------------------------
> > 
> > UK Parliament Disclaimer:
> > This e-mail is confidential to the intended recipient. If you have received it in error, please notify the sender and delete it from your system. Any unauthorised use, disclosure, or copying is not permitted. This e-mail has been checked for viruses, but no liability is accepted for any damage caused by any virus transmitted by this e-mail.
> > --------------------------------------------------------
> > 
> > ________________________________________________
> > Kerberos mailing list           Kerberos at
> >
> >

The Kerberos bit comes in because Vintela vas authentication is
essentially Kerberos auth. If I log in and do klist I get< Ticket
cache: FILE:/tmp/krb5cc_1001_SQ2421
Default principal: [xxx]@PARLIAMENT.UK

Valid starting     Expires            Service principal
10/22/04 10:00:13  10/22/04 20:00:14 
        renew until 10/23/04 10:00:13
That is the result of the VIntela product authenticating to Active
Directory. Point is I telnet using a kerberised telnetd from the MIT
distribution. Praps I am being unrealistic in expecting the -a valid
argument to telnetd to work in this case. Nevertheless, the issue of
the eight char limit on accounts names is still germane, as this is a
Kerberos telnetd we are talking about, not the in.telnetd that comes
with Solaris 9 (and which does not work at all with Vintela VAS). I
should have mentioned that ssh connections do not exhibit this eight
char account name limit

More information about the Kerberos mailing list