Problem with kerberos telnet option
Richard E. Silverman
res at qoxp.net
Wed Jan 28 13:53:06 EST 2009
>
> I am trying to setup a test kdc server and workstation.
> After I did the setup I can login as user5 using the kerberos
> password. But there still seems to be a problem.
>
> When I telnet from station5 (kerberos server) to station6
> (workstation) I get the following error [krb5-telnet is on]
> -------------------------------
> Waiting for encryption to be negotiated...
>
> Negotiation of authentication, which is required for encryption,
> has failed. Good-bye.
> ---------------------------------------
Try setting client-side debug authentication debugging to see what's going on:
sys1:~% telnet
telnet> set authd
auth debugging enabled
telnet> open -a seraph.lionaka.net
Trying ...
Connected to seraph.lionaka.net
Escape character is '^]'.
>>>TELNET: I support auth type 2 6
>>>TELNET: I support auth type 2 2
>>>TELNET: I support auth type 2 0
>>>TELNET: auth_send got: 02 06 02 02 02 00
>>>TELNET: He supports 2
>>>TELNET: He supports 2
>>>TELNET: Trying 2 2
>>>IS:0: [0] (485) 6e 82 01 e1 30 82 01 dd a0 03 02 01 05 a1 03 02
telnet: Sent Kerberos V5 credentials to server
>>>TELNET: Using type 2
[ Kerberos V5 accepts you as ``res at LIONAKA.NET'' ]
Last login: Tue Jan 27 21:57:55
seraph:~%
> When I login to either station5 or station6 using the user5 kerberos
> password (login or ssh), everything seems to be working. But when I go
> from ssh from station6 to station5 it request another login. I
> thought kerberos would only require me to login to station6 and then I
> could ssh directly to station5 without re-entering the password.
>
> Following are my krb5kdc.log messages as mapped by step.
> Following this are my /etc/krb5.conf, /var/kerberos/krb5kdc/kdc.conf
> files and my results from getprincs.
>
> What I am trying to determine is what are these log messages telling
> me and do they give an indication of what maybe or is my problem.
>
> ####### telnet from station5 to station6
> ####### telnet -Fxl user5 station6.example.com
>
> Jan 19 22:01:51 station5 krb5kdc[1876](info): TGS_REQ (1 etypes {1})
> 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=1},
> user5 at STATION5.EXAMPLE.COM for host/
> station6.example.com at STATION5.EXAMPLE.COM
> Jan 19 22:01:51 station5 krb5kdc[1876](info): TGS_REQ (1 etypes {1})
> 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=1},
> user5 at STATION5.EXAMPLE.COM for host/
> station6.example.com at STATION5.EXAMPLE.COM
> Jan 19 22:01:51 station5 krb5kdc[1876](info): TGS_REQ (1 etypes {1})
> 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=1},
> user5 at STATION5.EXAMPLE.COM for krbtgt/
> STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
> Jan 19 22:01:51 station5 krb5kdc[1876](info): TGS_REQ (1 etypes {1})
> 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=1},
> user5 at STATION5.EXAMPLE.COM for krbtgt/
> STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
>
>
>
>
> ###### Following is the messages in krb5kdc.log after ssh login
> ###### from a computer outside realm to
> ###### user5 at station6.example.com
>
> Jan 19 21:56:22 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.6: NEEDED_PREAUTH: user5 at STATION5.EXAMPLE.COM
> for krbtgt/STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM, Additional pre-
> authentication required
> Jan 19 21:56:22 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.6: NEEDED_PREAUTH: user5 at STATION5.EXAMPLE.COM
> for krbtgt/STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM, Additional pre-
> authentication required
> Jan 19 21:56:22 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.6: ISSUE: authtime 1232423782, etypes {rep=16
> tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for krbtgt/
> STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
> Jan 19 21:56:22 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.6: ISSUE: authtime 1232423782, etypes {rep=16
> tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for krbtgt/
> STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
> Jan 19 21:56:22 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.6: ISSUE: authtime 1232423782, etypes {rep=16
> tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for host/
> station6.example.com at STATION5.EXAMPLE.COM
> Jan 19 21:56:22 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.6: ISSUE: authtime 1232423782, etypes {rep=16
> tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for host/
> station6.example.com at STATION5.EXAMPLE.COM
>
>
> ##### this is after starting the ssh login from station6 to station5
> ##### ssh station5.example.com -l user5
> ##### password has not been entered
>
> Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782,
> user5 at STATION5.EXAMPLE.COM for host/station5 at STATION5.EXAMPLE.COM,
> Server not found in Kerberos database
> Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782,
> user5 at STATION5.EXAMPLE.COM for host/station5 at STATION5.EXAMPLE.COM,
> Server not found in Kerberos database
> Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782,
> user5 at STATION5.EXAMPLE.COM for host/station5 at STATION5.EXAMPLE.COM,
> Server not found in Kerberos database
> Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782,
> user5 at STATION5.EXAMPLE.COM for host/station5 at STATION5.EXAMPLE.COM,
> Server not found in Kerberos database
> Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782,
> user5 at STATION5.EXAMPLE.COM for host/station5 at STATION5.EXAMPLE.COM,
> Server not found in Kerberos database
> Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782,
> user5 at STATION5.EXAMPLE.COM for host/station5 at STATION5.EXAMPLE.COM,
> Server not found in Kerberos database
>
> #####after password entry when ssh from station6 to station5
>
> Jan 19 21:59:37 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.5: NEEDED_PREAUTH: user5 at STATION5.EXAMPLE.COM
> for krbtgt/STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM, Additional pre-
> authentication required
> Jan 19 21:59:37 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.5: NEEDED_PREAUTH: user5 at STATION5.EXAMPLE.COM
> for krbtgt/STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM, Additional pre-
> authentication required
> Jan 19 21:59:37 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16
> tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for krbtgt/
> STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
> Jan 19 21:59:37 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16
> tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for krbtgt/
> STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
> Jan 19 21:59:37 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16
> tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for host/
> station5.example.com at STATION5.EXAMPLE.COM
> Jan 19 21:59:37 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16
> tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for host/
> station5.example.com at STATION5.EXAMPLE.COM
>
>
>
> ##### results of getprincs
>
> K/M at STATION5.EXAMPLE.COM
> host/station5.example.com at STATION5.EXAMPLE.COM
> host/station6.example.com at STATION5.EXAMPLE.COM
> kadmin/admin at STATION5.EXAMPLE.COM
> kadmin/changepw at STATION5.EXAMPLE.COM
> kadmin/history at STATION5.EXAMPLE.COM
> kadmin/station5 at STATION5.EXAMPLE.COM
> krbtgt/STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
> root/admin at STATION5.EXAMPLE.COM
> user5 at STATION5.EXAMPLE.COM
>
>
> #####following is my /etc/krb5.conf
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = STATION5.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> STATION5.EXAMPLE.COM = {
> kdc = 192.168.1.5:88
> admin_server = 192.168.1.5:749
> }
>
> [domain_realm]
> station5.example.com = STATION5.EXAMPLE.COM
> station6.example.com = STATION5.EXAMPLE.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> validate = true
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> ##### Following are the results of getprincs
>
> Authenticating as principal root/admin at STATION5.EXAMPLE.COM with
> password.
> kadmin.local: getprincs
> K/M at STATION5.EXAMPLE.COM
> host/station5.example.com at STATION5.EXAMPLE.COM
> host/station6.example.com at STATION5.EXAMPLE.COM
> kadmin/admin at STATION5.EXAMPLE.COM
> kadmin/changepw at STATION5.EXAMPLE.COM
> kadmin/history at STATION5.EXAMPLE.COM
> kadmin/station5 at STATION5.EXAMPLE.COM
> krbtgt/STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
> root/admin at STATION5.EXAMPLE.COM
> user5 at STATION5.EXAMPLE.COM
>
>
> ############Following is my /var/kerberos/krb5kdc/kdc.conf
>
> [kdcdefaults]
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth
[realms]
STATION5.EXAMPLE.COM = {
master_key_type = des3-hmac-sha1
default_principal_flags = +preauth
# supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-
hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
}
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list