cisco catalyst 3750 help

Matt Zagrabelny mzagrabe at d.umn.edu
Thu Mar 25 08:41:46 EDT 2010 

On Thu, 2010-03-25 at 09:13 +0300, Nikolay Shopik wrote:
> I've asked about Kerberos support in Cisco devices once, from what I can 
> tell they don't support tickets/gssapi, so only login password manually 
> will work.

Funny thing, I once had tickets/gssapi working with the catalysts, but
that was a number of years ago. That is what the krb5-telnet
authentication mode does. There was a bug that caused a hard reboot with
the IOS, Cisco says that it has been fixed, that is why I thought I
would try Kerberos again.

> On 25.03.2010 0:20, Matt Zagrabelny wrote:
> > Greetings,
> >
> > I am attempting to use MIT Kerberos to provide automatic logins via
> > telnet on a Cisco Catalyst 3750.
> >
> > I have read through the mailing list archives and found some threads
> > regarding this, but am still unsuccessful in getting things going.
> >
> > I am using Debian Lenny:
> >
> > % dpkg -l '*krb*' | grep ii
> > ii  krb5-admin-server  1.6.dfsg.4~beta1-5lenny2 MIT Kerberos master
> > ii  krb5-config        1.22                     Configuration files for
> > ii  krb5-doc           1.6.dfsg.4~beta1-5lenny2 Documentation for MIT
> > ii  krb5-kdc           1.6.dfsg.4~beta1-5lenny2 MIT Kerberos key server
> > ii  krb5-user          1.6.dfsg.4~beta1-5lenny2 Basic programs to
> > ii  libkrb53           1.6.dfsg.4~beta1-5lenny2 MIT Kerberos runtime
> >
> > % cat /etc/krb5kdc/kdc.conf
> >
> > [kdcdefaults]
> >      kdc_ports = 750,88
> >
> > [realms]
> >      D.UMN.EDU = {
> >          database_name = /var/lib/krb5kdc/principal
> >          admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> >          acl_file = /etc/krb5kdc/kadm5.acl
> >          key_stash_file = /etc/krb5kdc/stash
> >          kdc_ports = 750,88
> >          max_life = 10h 0m 0s
> >          max_renewable_life = 7d 0h 0m 0s
> >          master_key_type = des3-hmac-sha1
> >          supported_enctypes = aes256-cts:normal arcfour-hmac:normal
> > des3-hmac-sha1:normal des3-cbc-md5:normal des-cbc-crc:normal des:normal
> > des:v4 des:norealm des:onlyrealm des:afs3
> >          default_principal_flags = +preauth
> >      }
> >
> > % cat krb5.conf
> >
> > [libdefaults]
> >          default_realm = D.UMN.EDU
> >
> > # The following krb5.conf variables are only for MIT Kerberos.
> >          krb4_config = /etc/krb.conf
> >          krb4_realms = /etc/krb.realms
> >          kdc_timesync = 1
> >          ccache_type = 4
> >          forwardable = true
> >          proxiable = true
> >
> > # The following encryption type specification will be used by MIT
> > Kerberos
> > # if uncommented.  In general, the defaults in the MIT Kerberos code are
> > # correct and overriding these specifications only serves to disable new
> > # encryption types as they are added, creating interoperability
> > problems.
> > #
> > # Thie only time when you might need to uncomment these lines and change
> > # the enctypes is if you have local software that will break on ticket
> > # caches containing ticket encryption types it doesn't know about (such
> > as
> > # old versions of Sun Java).
> >
> > #       default_tgs_enctypes = des3-hmac-sha1
> > #       default_tkt_enctypes = des3-hmac-sha1
> > #       permitted_enctypes = des3-hmac-sha1
> >
> > # The following libdefaults parameters are only for Heimdal Kerberos.
> >          v4_instance_resolve = false
> >          v4_name_convert = {
> >                  host = {
> >                          rcmd = host
> >                          ftp = ftp
> >                  }
> >                  plain = {
> >                          something = something-else
> >                  }
> >          }
> >          fcc-mit-ticketflags = true
> >
> > [realms]
> >          D.UMN.EDU = {
> >                  kdc = kerberos.d.umn.edu:88
> >                  admin_server = kerberos.d.umn.edu
> >                  default_domain = d.umn.edu
> >          }
> >
> > [domain_realm]
> >          .d.umn.edu = D.UMN.EDU
> >          d.umn.edu = D.UMN.EDU
> >
> > [login]
> >          krb4_convert = true
> >          krb4_get_tickets = false
> >
> > [logging]
> >          kdc = FILE:/var/log/krb5/kdc.log
> >          admin_server = FILE:/var/log/krb5/kadmin.log
> >          default = FILE:/var/log/krb5/lib.log
> >
> >
> > Next, I do the following steps...
> >
> >> addprinc mzagrabe
> >
> >> addprinc -e des-cbc-crc:normal -randkey +requires_preauth
> > host/switch3750.d.umn.edu
> >
> >> ktadd -e des-cbc-crc:normal
> > -k /var/lib/tftpboot/krb5/switch3750.keytab host/switch3750.d.umn.edu
> >
> > # chmod 644 /var/lib/tftpboot/krb5/switch3750.keytab
> >
> > switch>  kerberos srvtab remote tftp://kerberos/krb5/switch3750.keytab
> >
> > The relevant switch configs are:
> >
> > aaa authentication login telnet krb5-telnet
> > kerberos local-realm D.UMN.EDU
> > kerberos srvtab entry host/switch3750.d.umn.edu at D.UMN.EDU 1<numbers>  3
> > 1 8<looks like crypto key>
> > kerberos clients mandatory
> > kerberos server D.UMN.EDU 131.212.60.117
> > line vty 0 4
> >   login authentication telnet
> >   transport input telnet
> > line vty 5 15
> >   login authentication telnet
> >   transport input telnet
> >
> > The clocks look good:
> >
> > switch>  sh clock
> > 16:06:25.945 CDT Wed Mar 24 2010
> >
> > kerberos% date
> > Wed Mar 24 16:06:32 CDT 2010
> >
> > workstation% kinit
> > workstation% klist -e
> > Ticket cache: FILE:/tmp/krb5cc_1000
> > Default principal: mzagrabe at D.UMN.EDU
> >
> > Valid starting     Expires            Service principal
> > 03/24/10 16:09:15  03/25/10 02:09:15  krbtgt/D.UMN.EDU at D.UMN.EDU
> >          renew until 03/25/10 16:08:59, Etype (skey, tkt): AES-256 CTS
> > mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
> >
> > kerberos# tail -f /var/log/krb5/kdc.log
> > Mar 24 16:08:59 stout krb5kdc[4756](info): no valid preauth type found:
> > Success
> > Mar 24 16:08:59 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
> > 23}) 131.212.60.196: PREAUTH_FAILED: mzagrabe at D.UMN.EDU for
> > krbtgt/D.UMN.EDU at D.UMN.EDU, Preauthentication failed
> > Mar 24 16:08:59 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
> > 23}) 131.212.60.196: NEEDED_PREAUTH: mzagrabe at D.UMN.EDU for
> > krbtgt/D.UMN.EDU at D.UMN.EDU, Additional pre-authentication required
> > Mar 24 16:09:15 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
> > 23}) 131.212.60.196: ISSUE: authtime 1269464955, etypes {rep=18 tkt=18
> > ses=18}, mzagrabe at D.UMN.EDU for krbtgt/D.UMN.EDU at D.UMN.EDU
> >
> > Now I try to telnet.krb5 to the switch:
> >
> > workstation% cat .telnetrc
> > DEFAULT toggle autologin
> >
> > workstation% telnet.krb5 switch3750
> > Trying 10.25.1.14...
> > Will send login name and/or authentication information.
> > Connected to switch3750.d.umn.edu (10.25.1.14).
> > Escape character is '^]'.
> > [ Kerberos V5 refuses authentication ]
> > kerberos_server_auth:   Couldn't authenticate client from
> > grateful.d.umn.edu.
> >
> > % Authentication failed
> >
> > % Authentication failed
> > Connection closed by foreign host.
> >
> >
> > So, that is pretty much where I am at. I feel like there is a mismatch
> > between the different encryption types that all the components use, but
> > I am uncertain where to debug this.
> >
> > Thanks,
> >
> >
> >
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list