cisco catalyst 3750 help

Matt Zagrabelny mzagrabe at d.umn.edu
Wed Mar 24 17:20:42 EDT 2010


Greetings,

I am attempting to use MIT Kerberos to provide automatic logins via
telnet on a Cisco Catalyst 3750.

I have read through the mailing list archives and found some threads
regarding this, but am still unsuccessful in getting things going.

I am using Debian Lenny:

% dpkg -l '*krb*' | grep ii
ii  krb5-admin-server  1.6.dfsg.4~beta1-5lenny2 MIT Kerberos master
ii  krb5-config        1.22                     Configuration files for
ii  krb5-doc           1.6.dfsg.4~beta1-5lenny2 Documentation for MIT
ii  krb5-kdc           1.6.dfsg.4~beta1-5lenny2 MIT Kerberos key server
ii  krb5-user          1.6.dfsg.4~beta1-5lenny2 Basic programs to
ii  libkrb53           1.6.dfsg.4~beta1-5lenny2 MIT Kerberos runtime

% cat /etc/krb5kdc/kdc.conf

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    D.UMN.EDU = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha1:normal des3-cbc-md5:normal des-cbc-crc:normal des:normal
des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

% cat krb5.conf

[libdefaults]
        default_realm = D.UMN.EDU

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT
Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability
problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such
as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        D.UMN.EDU = {
                kdc = kerberos.d.umn.edu:88
                admin_server = kerberos.d.umn.edu
                default_domain = d.umn.edu
        }

[domain_realm]
        .d.umn.edu = D.UMN.EDU
        d.umn.edu = D.UMN.EDU

[login]
        krb4_convert = true
        krb4_get_tickets = false

[logging]
        kdc = FILE:/var/log/krb5/kdc.log
        admin_server = FILE:/var/log/krb5/kadmin.log
        default = FILE:/var/log/krb5/lib.log


Next, I do the following steps...

> addprinc mzagrabe

> addprinc -e des-cbc-crc:normal -randkey +requires_preauth
host/switch3750.d.umn.edu

> ktadd -e des-cbc-crc:normal
-k /var/lib/tftpboot/krb5/switch3750.keytab host/switch3750.d.umn.edu

# chmod 644 /var/lib/tftpboot/krb5/switch3750.keytab

switch> kerberos srvtab remote tftp://kerberos/krb5/switch3750.keytab

The relevant switch configs are:

aaa authentication login telnet krb5-telnet
kerberos local-realm D.UMN.EDU
kerberos srvtab entry host/switch3750.d.umn.edu at D.UMN.EDU 1 <numbers> 3
1 8 <looks like crypto key>
kerberos clients mandatory
kerberos server D.UMN.EDU 131.212.60.117
line vty 0 4
 login authentication telnet
 transport input telnet
line vty 5 15
 login authentication telnet
 transport input telnet

The clocks look good:

switch> sh clock
16:06:25.945 CDT Wed Mar 24 2010

kerberos% date
Wed Mar 24 16:06:32 CDT 2010

workstation% kinit
workstation% klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mzagrabe at D.UMN.EDU

Valid starting     Expires            Service principal
03/24/10 16:09:15  03/25/10 02:09:15  krbtgt/D.UMN.EDU at D.UMN.EDU
        renew until 03/25/10 16:08:59, Etype (skey, tkt): AES-256 CTS
mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC

kerberos# tail -f /var/log/krb5/kdc.log
Mar 24 16:08:59 stout krb5kdc[4756](info): no valid preauth type found:
Success
Mar 24 16:08:59 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
23}) 131.212.60.196: PREAUTH_FAILED: mzagrabe at D.UMN.EDU for
krbtgt/D.UMN.EDU at D.UMN.EDU, Preauthentication failed
Mar 24 16:08:59 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
23}) 131.212.60.196: NEEDED_PREAUTH: mzagrabe at D.UMN.EDU for
krbtgt/D.UMN.EDU at D.UMN.EDU, Additional pre-authentication required
Mar 24 16:09:15 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
23}) 131.212.60.196: ISSUE: authtime 1269464955, etypes {rep=18 tkt=18
ses=18}, mzagrabe at D.UMN.EDU for krbtgt/D.UMN.EDU at D.UMN.EDU

Now I try to telnet.krb5 to the switch:

workstation% cat .telnetrc
DEFAULT toggle autologin

workstation% telnet.krb5 switch3750
Trying 10.25.1.14...
Will send login name and/or authentication information.
Connected to switch3750.d.umn.edu (10.25.1.14).
Escape character is '^]'.
[ Kerberos V5 refuses authentication ]
kerberos_server_auth:   Couldn't authenticate client from
grateful.d.umn.edu.

% Authentication failed

% Authentication failed
Connection closed by foreign host.


So, that is pretty much where I am at. I feel like there is a mismatch
between the different encryption types that all the components use, but
I am uncertain where to debug this.

Thanks,

-- 
Matt Zagrabelny - mzagrabe at d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 4096R/42A00942 2009-12-16
Fingerprint: 5814 2CCE 2383 2991 83FF  C899 07E2 BFA8 42A0 0942

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100324/2641ffb7/attachment.bin


More information about the Kerberos mailing list