kerberized telnet

Matt Zagrabelny mzagrabe at d.umn.edu
Fri Apr 2 14:33:26 EDT 2010


Greetings,

I am trying to debug a Kerberos setup with a MIT KDC/TGS and Cisco
Catalyst 3750. Things are progressing, but I've hit a wall.

Here is what I perform on my workstation:

$ kinit
$ telnet kplz354s2
Trying 10.25.1.14...
Will send login name and/or authentication information.
Connected to kplz354s2.d.umn.edu (10.25.1.14).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``mzagrabe at D.UMN.EDU'' ]

% Authentication failed
Connection closed by foreign host.

This may be a obvious question, but

does the "Kerberos V5 accepts you as ``blah''" come from the switch?

I am trying to cover all the bases here and the switch is definitely
reporting "Authentication failed", so I am wondering if it is also
reporting the "accepts you as" line as well.

I've performed some tcpdump/wireshark and didn't see anything that would
indicate that the switch believes me to be mzagrabe at D.UMN.EDU.

Also, for those who are cisco-nuts, here are the relevant configs from
the switch:

aaa new-model
!
aaa user profile mzagrabe at D.UMN.EDU
aaa user profile mzagrabe
!
aaa authentication attempts login 1
aaa authentication login telnet krb5-telnet
aaa authorization exec default if-authenticated 
aaa authorization exec telnet if-authenticated 
!
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
switch 1 provision ws-c3750-24ts
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip domain-name d.umn.edu
ip name-server 131.212.32.32
!
!
kerberos local-realm D.UMN.EDU
kerberos srvtab entry host/kplz354s2.d.umn.edu at D.UMN.EDU <stuff removed>
kerberos realm .d.umn.edu D.UMN.EDU
kerberos clients mandatory
kerberos server D.UMN.EDU 131.212.60.117
kerberos credentials forward

Thanks,

-- 
Matt Zagrabelny - mzagrabe at d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 4096R/42A00942 2009-12-16
Fingerprint: 5814 2CCE 2383 2991 83FF  C899 07E2 BFA8 42A0 0942

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100402/a7080d93/attachment.bin


More information about the Kerberos mailing list