kerberized telnet

Marcus Watts mdw at umich.edu
Fri Apr 2 18:01:12 EDT 2010


You sent:
...
> telnet> set authdebug
> auth debugging enabled
> telnet> open kplz354s2
> Trying 10.25.1.14...
> Will send login name and/or authentication information.
> Connected to kplz354s2.d.umn.edu (10.25.1.14).
> Escape character is '^]'.
> >>>TELNET: I support auth type 2 6
> >>>TELNET: I support auth type 2 2
> >>>TELNET: I support auth type 2 0
> >>>TELNET: auth_send got: 02 02 02 00
> >>>TELNET: He supports 2
> >>>TELNET: Trying 2 2
> telnet: calling krb5_sname_to_principal
>                                        telnet: done calling
> krb5_sname_to_principal
> 
> >>>IS:0: [0] (448) 6e 82 01 bc 30 82 01 b8 a0 03 02 01 05 a1 03 02
> telnet: Sent Kerberos V5 credentials to server
> >>>TELNET: Using type 2
> [ Kerberos V5 accepts you as ``mzagrabe at D.UMN.EDU'' ]
> 
> % Authentication failed
> Connection closed by foreign host.
...

I dusted off some old telnet binaries, which produce quite
similar output to what you report:
	lancashire$ kinit 
	Password for mdw at CATS.UMICH.EDU: 
	lancashire$ klist
	Ticket cache: FILE:/tmp/krb5cc_25131
	Default principal: mdw at CATS.UMICH.EDU

	Valid starting     Expires            Service principal
	04/02/10 17:00:24  04/03/10 03:00:24  krbtgt/CATS.UMICH.EDU at CATS.UMICH.EDU
	lancashire$ telnet -a
	telnet> set authdebug
	auth debugging enabled
	telnet> open galois
	Trying 141.213.229.76...
	Connected to galois.ifs.umich.edu (141.213.229.76).
	Escape character is '^]'.
	>>>TELNET: I support auth type 2 6
	>>>TELNET: I support auth type 2 2
	>>>TELNET: I support auth type 2 0
	>>>TELNET: auth_send got: 02 06 02 02 02 00
	>>>TELNET: He supports 2
	>>>TELNET: He supports 2
	>>>TELNET: Trying 2 2
	telnet: calling krb5_sname_to_principal
	telnet: done calling krb5_sname_to_principal
	>>>IS:0: [0] (509) 6e 82 01 f9 30 82 01 f5 a0 03 02 01 05 a1 03 02
	telnet: Sent Kerberos V5 credentials to server
	>>>TELNET: Using type 2
	[ Kerberos V5 accepts you as ``mdw at CATS.UMICH.EDU'' ]
	Last login: Fri Apr  2 17:00:11 from lancashire
	galois$ 
	galois$ logout
	Connection closed by foreign host.
	lancashire$ klist -fea
	Ticket cache: FILE:/tmp/krb5cc_25131
	Default principal: mdw at CATS.UMICH.EDU

	Valid starting     Expires            Service principal
	04/02/10 17:00:24  04/03/10 03:00:24  krbtgt/CATS.UMICH.EDU at CATS.UMICH.EDU
		Flags: I, Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC 
		Addresses: (none)
	04/02/10 17:00:39  04/03/10 03:00:24  host/galois.ifs.umich.edu at CATS.UMICH.EDU
		Flags: T, Etype (skey, tkt): DES cbc mode with CRC-32, AES-256 CTS mode with 96-bit SHA-1 HMAC 
		Addresses: (none)
	lancashire$ 

In my case, the server key happens to be AES - the rest is much
as you report.

Now that I've read slightly more of the telnet/telnetd code:
I believe the string 'Kerberos 5 accepts you as' can only appear when
the remote end indicates that it has accepted a kerberos ticket, so
I think that's probably ok.  The string that appears after that
comes from the other end, and the name information almost certainly
comes from inside the ticket, which means it was able to decrypt
the ticket.  So you really do nearly have this working.

The string 'Last login: Fri Apr  2 17:00:11 from lancashire' is
the first thing that is produced by the login program, and that's
where your output diverges.

You might want to try enabling encryption and decryption.

$ telnet -x -a
or
telnet> set autologin
telnet> set autoencrypt
telnet> set autodecrypt
telnet> set verbose_encrypt
telnet> open ...

Also perhaps
telnet> set encdebug

The unix version of telnetd supports an option to require encryption,
when this is enabled, the telnet connection ``hangs'' after connect
until the client enables encryption -- right at the point where your
cisco connection appears to fail.  Perhaps the cisco telnetd isn't
as patient, or perhaps you have some other sort of authorization
problem at that point.

For the sake of comparision, here's what I get if I move the keytab
aside on lancashire:

	lancashire$ telnet
	telnet> set autologin
	Will send login name and/or authentication information.
	telnet> set authdebug
	auth debugging enabled
	telnet> open galois
	Trying 141.213.229.76...
	Connected to galois.ifs.umich.edu (141.213.229.76).
	Escape character is '^]'.
	>>>TELNET: I support auth type 2 6
	>>>TELNET: I support auth type 2 2
	>>>TELNET: I support auth type 2 0
	>>>TELNET: auth_send got: 02 06 02 02 02 00
	>>>TELNET: He supports 2
	>>>TELNET: He supports 2
	>>>TELNET: Trying 2 2
	telnet: calling krb5_sname_to_principal
	telnet: done calling krb5_sname_to_principal
	>>>IS:0: [0] (509) 6e 82 01 f9 30 82 01 f5 a0 03 02 01 05 a1 03 02
	telnet: Sent Kerberos V5 credentials to server
	>>>TELNET: Using type 2
	[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ]
	>>>TELNET: He supports 2
	>>>TELNET: Trying 2 0
	telnet: calling krb5_sname_to_principal
	telnet: done calling krb5_sname_to_principal
	>>>IS:0: [0] (509) 6e 82 01 f9 30 82 01 f5 a0 03 02 01 05 a1 03 02
	telnet: Sent Kerberos V5 credentials to server
	>>>TELNET: Using type 2
	[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ]
	>>>TELNET: Sent failure message
	telnetd: Authorization failed.
	Connection closed by foreign host.
	lancashire$ 

In this case, I see that the string "Kerberos V5 refuses authentication because "
comes from the local telnet binary.  The string "telnetd: krb5_rd_req failed:
No such file or directory" comes from telnetd on the other side.

> > If the string you rightfully didn't show us is really a srvtab, the
> > service principal you gave to the cisco must not have any non-des key
> > types in the kdc.
> 
> Why do you say that? (ie. I'm not following this last statement)

Again, I think given that you are seeing 'Kerberos 5 accepts you as' that
whatever key information you have on your cisco is correct.  So I don't
you need to figure out what you have for a "srvtab".  However,
in case you're curious:

A srvtab is a kerberos 4 file which contains one or more service keys.
Because it's kerberos 4 specific, it can only hold DES keys, and
the name has some additional format restrictions.

Here's a sample keytab:

	$ klist -kKe FILE:/home/mdw/aardvark.keytab
	Keytab name: WRFILE:/home/mdw/aardvark.keytab
	KVNO Principal
	---- --------------------------------------------------------------------------
	   3 host/aardvark.ifs.umich.edu at CATS.UMICH.EDU (DES cbc mode with CRC-32)  (0xd067fbec20f83d7f)
	   3 host/aardvark.ifs.umich.edu at CATS.UMICH.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC)  (0x4044f793ce3222ff7b5828df33a7f6394a8c77ed2b466e256a0615d5b8783db9)
	$

000000:  5  2  0  0  0 45  0  2  0  e 43 41 54 53 2e 55 .....E....CATS.U
000010: 4d 49 43 48 2e 45 44 55  0  4 68 6f 73 74  0 16 MICH.EDU..host..
000020: 61 61 72 64 76 61 72 6b 2e 69 66 73 2e 75 6d 69 aardvark.ifs.umi
000030: 63 68 2e 65 64 75  0  0  0  1 4b b6 62  7  3  0 ch.edu....K.b...
000040:  1  0  8 d0 67 fb ec 20 f8 3d 7f  0  0  0 5d  0 ....g.. .=....].
000050:  2  0  e 43 41 54 53 2e 55 4d 49 43 48 2e 45 44 ...CATS.UMICH.ED
000060: 55  0  4 68 6f 73 74  0 16 61 61 72 64 76 61 72 U..host..aardvar
000070: 6b 2e 69 66 73 2e 75 6d 69 63 68 2e 65 64 75  0 k.ifs.umich.edu.
000080:  0  0  1 4b b6 62  7  3  0 12  0 20 40 44 f7 93 ...K.b..... @D..
000090: ce 32 22 ff 7b 58 28 df 33 a7 f6 39 4a 8c 77 ed .2".{X(.3..9J.w.
0000a0: 2b 46 6e 25 6a  6 15 d5 b8 78 3d b9             +Fn%j....x=.
0000ac:

And a srvtab made from this:
	$ klist -kKe SRVTAB:/home/mdw/aardvark.srvtab
	Keytab name: SRVTAB:/home/mdw/aardvark.srvtab
	KVNO Principal
	---- --------------------------------------------------------------------------
	   3 host/aardvark.cats.umich.edu at CATS.UMICH.EDU (DES cbc mode with CRC-32)  (0xd067fbec20f83d7f)
	$

000000: 72 63 6d 64  0 61 61 72 64 76 61 72 6b  0 43 41 rcmd.aardvark.CA
000010: 54 53 2e 55 4d 49 43 48 2e 45 44 55  0  3 d0 67 TS.UMICH.EDU...g
000020: fb ec 20 f8 3d 7f                               .. .=.
000026:

The most important difference is the srvtab only has the DES key.
Besides this, notice that the srvtab does not start with ENQ, formats
the name differently, only uses one byte for the kvno, and lacks the
creation timestamp, encryption type, and key length.

...
				-Marcus Watts



More information about the Kerberos mailing list