anyone who has a working heimdal + krb5-telnet + Cisco????
jay alvarez
kerber0sb0y at yahoo.com
Wed Jan 18 00:49:50 EST 2006
Good day!
I'm trying to configure a Cisco router (7206 12.2) to use krb5-telnet as the default authentication however I bumped into the following problems:
On kdc:
encode_as_rep_as_tgs_rep = true (krb5.conf {kdc})
del_enctype host/our.router {all except des-cbc-crc }
On router:
#conf t
#aaa new-model
#aaa authentication login default krb5-telnet krb5 group radius local
#kerberos local-realm OUR.REALM
#kerberos srvtab entry remote 10.10.10.1 /tftp/krb5.keytab
And I got:
Loading /tftp/krb5.keytab from 10.10...
[OK - 71 bytes]
truncated srvtab!... Discarding
Failed to retrieve srvtab from tftp://10.10
1 1 8
And if I don't delete other etypes I got:
Loading /tftp/krb5.keytab from 10.10....
[OK - 209 bytes]
No principals in srvtab! Discarding...
Failed to retrieve srvtab from tftp://..! ..
1 3 8
However when looked into my running config using sho run I can see that the
host/our.router at OUR.REALM has been created
On des-cbc-crc encryption srvtab:
the timestamp is followed by these numbers (1 1 8 ) which means that indeed it uses des...
While the other srvtab has (1 3 8)
On both cases:
When I try telneting to our.router:
#telnet our.router
[ Trying mutual KERBEROS5 (host/our.router at OUR.REALM)... ]
*** Connection not encrypted! Communication may be eavesdropped. ***
Server refused to negotiate encryption.
##
It failed....
If I don't remove all encryption types for that host principal, the router doesn't throw any "Truncated" error but instead it says " No principals in srvtab! "..it both cases, the same "Server refused to negotiate encrypt! ion" error occurs..
Any idea where I might went wrong??
Aren't heimdal and MIT are both compatible with Ciscos'???
That's all for now... thanks!!
---------------------------------
Yahoo! Photos
Ring in the New Year with Photo Calendars. Add photos, events, holidays, whatever.
More information about the Kerberos
mailing list