kerberized telnet
Marcus Watts
mdw at umich.edu
Fri Apr 2 15:07:53 EDT 2010
> Date: Fri, 02 Apr 2010 13:33:26 CDT
> To: kerberos <kerberos at mit.edu>
> From: Matt Zagrabelny <mzagrabe at d.umn.edu>
> Subject: kerberized telnet
>
> Greetings,
>
> I am trying to debug a Kerberos setup with a MIT KDC/TGS and Cisco
> Catalyst 3750. Things are progressing, but I've hit a wall.
>
> Here is what I perform on my workstation:
>
> $ kinit
> $ telnet kplz354s2
> Trying 10.25.1.14...
> Will send login name and/or authentication information.
> Connected to kplz354s2.d.umn.edu (10.25.1.14).
> Escape character is '^]'.
> [ Kerberos V5 accepts you as ``mzagrabe at D.UMN.EDU'' ]
>
> % Authentication failed
> Connection closed by foreign host.
...
The message "Kerberos V5 accepts" comes from your local telnet client.
It means that at some basic level kerberos 5 negotiation succeeded with
the telnet server.
There's an "authdebug" option you can set.
You can probably get more debug output using:
$ telnet
telnet> set authdebug
telnet> open kplz354s2
...
use "set ?" to see what else you can do - there are additional debugging
options. If you have something else for which you can successfully do
kerberos authentication, you should compare the results.
Off-hand, I wonder what encryption types you have. You might want to
check encryption types in the kdc logs, & encryption types and flags on
the various principals involved. klist -fea may also be interesting.
If the string you rightfully didn't show us is really a srvtab, the
service principal you gave to the cisco must not have any non-des key
types in the kdc.
-Marcus Watts
More information about the Kerberos
mailing list