cisco catalyst 3750 help
Nikolay Shopik
shopik at inblock.ru
Thu Mar 25 02:13:59 EDT 2010
I've asked about Kerberos support in Cisco devices once, from what I can
tell they don't support tickets/gssapi, so only login password manually
will work.
On 25.03.2010 0:20, Matt Zagrabelny wrote:
> Greetings,
>
> I am attempting to use MIT Kerberos to provide automatic logins via
> telnet on a Cisco Catalyst 3750.
>
> I have read through the mailing list archives and found some threads
> regarding this, but am still unsuccessful in getting things going.
>
> I am using Debian Lenny:
>
> % dpkg -l '*krb*' | grep ii
> ii krb5-admin-server 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos master
> ii krb5-config 1.22 Configuration files for
> ii krb5-doc 1.6.dfsg.4~beta1-5lenny2 Documentation for MIT
> ii krb5-kdc 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos key server
> ii krb5-user 1.6.dfsg.4~beta1-5lenny2 Basic programs to
> ii libkrb53 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos runtime
>
> % cat /etc/krb5kdc/kdc.conf
>
> [kdcdefaults]
> kdc_ports = 750,88
>
> [realms]
> D.UMN.EDU = {
> database_name = /var/lib/krb5kdc/principal
> admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> acl_file = /etc/krb5kdc/kadm5.acl
> key_stash_file = /etc/krb5kdc/stash
> kdc_ports = 750,88
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = aes256-cts:normal arcfour-hmac:normal
> des3-hmac-sha1:normal des3-cbc-md5:normal des-cbc-crc:normal des:normal
> des:v4 des:norealm des:onlyrealm des:afs3
> default_principal_flags = +preauth
> }
>
> % cat krb5.conf
>
> [libdefaults]
> default_realm = D.UMN.EDU
>
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> # The following encryption type specification will be used by MIT
> Kerberos
> # if uncommented. In general, the defaults in the MIT Kerberos code are
> # correct and overriding these specifications only serves to disable new
> # encryption types as they are added, creating interoperability
> problems.
> #
> # Thie only time when you might need to uncomment these lines and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know about (such
> as
> # old versions of Sun Java).
>
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> D.UMN.EDU = {
> kdc = kerberos.d.umn.edu:88
> admin_server = kerberos.d.umn.edu
> default_domain = d.umn.edu
> }
>
> [domain_realm]
> .d.umn.edu = D.UMN.EDU
> d.umn.edu = D.UMN.EDU
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
> [logging]
> kdc = FILE:/var/log/krb5/kdc.log
> admin_server = FILE:/var/log/krb5/kadmin.log
> default = FILE:/var/log/krb5/lib.log
>
>
> Next, I do the following steps...
>
>> addprinc mzagrabe
>
>> addprinc -e des-cbc-crc:normal -randkey +requires_preauth
> host/switch3750.d.umn.edu
>
>> ktadd -e des-cbc-crc:normal
> -k /var/lib/tftpboot/krb5/switch3750.keytab host/switch3750.d.umn.edu
>
> # chmod 644 /var/lib/tftpboot/krb5/switch3750.keytab
>
> switch> kerberos srvtab remote tftp://kerberos/krb5/switch3750.keytab
>
> The relevant switch configs are:
>
> aaa authentication login telnet krb5-telnet
> kerberos local-realm D.UMN.EDU
> kerberos srvtab entry host/switch3750.d.umn.edu at D.UMN.EDU 1<numbers> 3
> 1 8<looks like crypto key>
> kerberos clients mandatory
> kerberos server D.UMN.EDU 131.212.60.117
> line vty 0 4
> login authentication telnet
> transport input telnet
> line vty 5 15
> login authentication telnet
> transport input telnet
>
> The clocks look good:
>
> switch> sh clock
> 16:06:25.945 CDT Wed Mar 24 2010
>
> kerberos% date
> Wed Mar 24 16:06:32 CDT 2010
>
> workstation% kinit
> workstation% klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: mzagrabe at D.UMN.EDU
>
> Valid starting Expires Service principal
> 03/24/10 16:09:15 03/25/10 02:09:15 krbtgt/D.UMN.EDU at D.UMN.EDU
> renew until 03/25/10 16:08:59, Etype (skey, tkt): AES-256 CTS
> mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
>
> kerberos# tail -f /var/log/krb5/kdc.log
> Mar 24 16:08:59 stout krb5kdc[4756](info): no valid preauth type found:
> Success
> Mar 24 16:08:59 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
> 23}) 131.212.60.196: PREAUTH_FAILED: mzagrabe at D.UMN.EDU for
> krbtgt/D.UMN.EDU at D.UMN.EDU, Preauthentication failed
> Mar 24 16:08:59 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
> 23}) 131.212.60.196: NEEDED_PREAUTH: mzagrabe at D.UMN.EDU for
> krbtgt/D.UMN.EDU at D.UMN.EDU, Additional pre-authentication required
> Mar 24 16:09:15 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
> 23}) 131.212.60.196: ISSUE: authtime 1269464955, etypes {rep=18 tkt=18
> ses=18}, mzagrabe at D.UMN.EDU for krbtgt/D.UMN.EDU at D.UMN.EDU
>
> Now I try to telnet.krb5 to the switch:
>
> workstation% cat .telnetrc
> DEFAULT toggle autologin
>
> workstation% telnet.krb5 switch3750
> Trying 10.25.1.14...
> Will send login name and/or authentication information.
> Connected to switch3750.d.umn.edu (10.25.1.14).
> Escape character is '^]'.
> [ Kerberos V5 refuses authentication ]
> kerberos_server_auth: Couldn't authenticate client from
> grateful.d.umn.edu.
>
> % Authentication failed
>
> % Authentication failed
> Connection closed by foreign host.
>
>
> So, that is pretty much where I am at. I feel like there is a mismatch
> between the different encryption types that all the components use, but
> I am uncertain where to debug this.
>
> Thanks,
>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list