cisco catalyst 3750 help
Matt Zagrabelny
mzagrabe at d.umn.edu
Wed Mar 24 17:20:42 EDT 2010
Greetings,
I am attempting to use MIT Kerberos to provide automatic logins via
telnet on a Cisco Catalyst 3750.
I have read through the mailing list archives and found some threads
regarding this, but am still unsuccessful in getting things going.
I am using Debian Lenny:
% dpkg -l '*krb*' | grep ii
ii krb5-admin-server 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos master
ii krb5-config 1.22 Configuration files for
ii krb5-doc 1.6.dfsg.4~beta1-5lenny2 Documentation for MIT
ii krb5-kdc 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos key server
ii krb5-user 1.6.dfsg.4~beta1-5lenny2 Basic programs to
ii libkrb53 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos runtime
% cat /etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
D.UMN.EDU = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha1:normal des3-cbc-md5:normal des-cbc-crc:normal des:normal
des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
% cat krb5.conf
[libdefaults]
default_realm = D.UMN.EDU
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT
Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability
problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such
as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
D.UMN.EDU = {
kdc = kerberos.d.umn.edu:88
admin_server = kerberos.d.umn.edu
default_domain = d.umn.edu
}
[domain_realm]
.d.umn.edu = D.UMN.EDU
d.umn.edu = D.UMN.EDU
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/kadmin.log
default = FILE:/var/log/krb5/lib.log
Next, I do the following steps...
> addprinc mzagrabe
> addprinc -e des-cbc-crc:normal -randkey +requires_preauth
host/switch3750.d.umn.edu
> ktadd -e des-cbc-crc:normal
-k /var/lib/tftpboot/krb5/switch3750.keytab host/switch3750.d.umn.edu
# chmod 644 /var/lib/tftpboot/krb5/switch3750.keytab
switch> kerberos srvtab remote tftp://kerberos/krb5/switch3750.keytab
The relevant switch configs are:
aaa authentication login telnet krb5-telnet
kerberos local-realm D.UMN.EDU
kerberos srvtab entry host/switch3750.d.umn.edu at D.UMN.EDU 1 <numbers> 3
1 8 <looks like crypto key>
kerberos clients mandatory
kerberos server D.UMN.EDU 131.212.60.117
line vty 0 4
login authentication telnet
transport input telnet
line vty 5 15
login authentication telnet
transport input telnet
The clocks look good:
switch> sh clock
16:06:25.945 CDT Wed Mar 24 2010
kerberos% date
Wed Mar 24 16:06:32 CDT 2010
workstation% kinit
workstation% klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mzagrabe at D.UMN.EDU
Valid starting Expires Service principal
03/24/10 16:09:15 03/25/10 02:09:15 krbtgt/D.UMN.EDU at D.UMN.EDU
renew until 03/25/10 16:08:59, Etype (skey, tkt): AES-256 CTS
mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
kerberos# tail -f /var/log/krb5/kdc.log
Mar 24 16:08:59 stout krb5kdc[4756](info): no valid preauth type found:
Success
Mar 24 16:08:59 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
23}) 131.212.60.196: PREAUTH_FAILED: mzagrabe at D.UMN.EDU for
krbtgt/D.UMN.EDU at D.UMN.EDU, Preauthentication failed
Mar 24 16:08:59 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
23}) 131.212.60.196: NEEDED_PREAUTH: mzagrabe at D.UMN.EDU for
krbtgt/D.UMN.EDU at D.UMN.EDU, Additional pre-authentication required
Mar 24 16:09:15 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
23}) 131.212.60.196: ISSUE: authtime 1269464955, etypes {rep=18 tkt=18
ses=18}, mzagrabe at D.UMN.EDU for krbtgt/D.UMN.EDU at D.UMN.EDU
Now I try to telnet.krb5 to the switch:
workstation% cat .telnetrc
DEFAULT toggle autologin
workstation% telnet.krb5 switch3750
Trying 10.25.1.14...
Will send login name and/or authentication information.
Connected to switch3750.d.umn.edu (10.25.1.14).
Escape character is '^]'.
[ Kerberos V5 refuses authentication ]
kerberos_server_auth: Couldn't authenticate client from
grateful.d.umn.edu.
% Authentication failed
% Authentication failed
Connection closed by foreign host.
So, that is pretty much where I am at. I feel like there is a mismatch
between the different encryption types that all the components use, but
I am uncertain where to debug this.
Thanks,
--
Matt Zagrabelny - mzagrabe at d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 4096R/42A00942 2009-12-16
Fingerprint: 5814 2CCE 2383 2991 83FF C899 07E2 BFA8 42A0 0942
He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100324/2641ffb7/attachment.bin
More information about the Kerberos
mailing list