[32182] in Kerberos
cisco catalyst 3750 help
daemon@ATHENA.MIT.EDU (Matt Zagrabelny)
Wed Mar 24 17:21:27 2010
From: Matt Zagrabelny <mzagrabe@d.umn.edu>
To: kerberos@mit.edu
Date: Wed, 24 Mar 2010 16:20:42 -0500
Message-ID: <1269465642.4868.91.camel@grateful.d.umn.edu>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1963298885=="
Errors-To: kerberos-bounces@mit.edu
--===============1963298885==
Content-Type: multipart/signed; micalg="pgp-sha1";
protocol="application/pgp-signature";
boundary="=-xAZT6u3oe+9A3k74GalF"
--=-xAZT6u3oe+9A3k74GalF
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Greetings,
I am attempting to use MIT Kerberos to provide automatic logins via
telnet on a Cisco Catalyst 3750.
I have read through the mailing list archives and found some threads
regarding this, but am still unsuccessful in getting things going.
I am using Debian Lenny:
% dpkg -l '*krb*' | grep ii
ii krb5-admin-server 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos master
ii krb5-config 1.22 Configuration files for
ii krb5-doc 1.6.dfsg.4~beta1-5lenny2 Documentation for MIT
ii krb5-kdc 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos key server
ii krb5-user 1.6.dfsg.4~beta1-5lenny2 Basic programs to
ii libkrb53 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos runtime
% cat /etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports =3D 750,88
[realms]
D.UMN.EDU =3D {
database_name =3D /var/lib/krb5kdc/principal
admin_keytab =3D FILE:/etc/krb5kdc/kadm5.keytab
acl_file =3D /etc/krb5kdc/kadm5.acl
key_stash_file =3D /etc/krb5kdc/stash
kdc_ports =3D 750,88
max_life =3D 10h 0m 0s
max_renewable_life =3D 7d 0h 0m 0s
master_key_type =3D des3-hmac-sha1
supported_enctypes =3D aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha1:normal des3-cbc-md5:normal des-cbc-crc:normal des:normal
des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags =3D +preauth
}
% cat krb5.conf
[libdefaults]
default_realm =3D D.UMN.EDU
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config =3D /etc/krb.conf
krb4_realms =3D /etc/krb.realms
kdc_timesync =3D 1
ccache_type =3D 4
forwardable =3D true
proxiable =3D true
# The following encryption type specification will be used by MIT
Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability
problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such
as
# old versions of Sun Java).
# default_tgs_enctypes =3D des3-hmac-sha1
# default_tkt_enctypes =3D des3-hmac-sha1
# permitted_enctypes =3D des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve =3D false
v4_name_convert =3D {
host =3D {
rcmd =3D host
ftp =3D ftp
}
plain =3D {
something =3D something-else
}
}
fcc-mit-ticketflags =3D true
[realms]
D.UMN.EDU =3D {
kdc =3D kerberos.d.umn.edu:88
admin_server =3D kerberos.d.umn.edu
default_domain =3D d.umn.edu
}
[domain_realm]
.d.umn.edu =3D D.UMN.EDU
d.umn.edu =3D D.UMN.EDU
[login]
krb4_convert =3D true
krb4_get_tickets =3D false
[logging]
kdc =3D FILE:/var/log/krb5/kdc.log
admin_server =3D FILE:/var/log/krb5/kadmin.log
default =3D FILE:/var/log/krb5/lib.log
Next, I do the following steps...
> addprinc mzagrabe
> addprinc -e des-cbc-crc:normal -randkey +requires_preauth
host/switch3750.d.umn.edu
> ktadd -e des-cbc-crc:normal
-k /var/lib/tftpboot/krb5/switch3750.keytab host/switch3750.d.umn.edu
# chmod 644 /var/lib/tftpboot/krb5/switch3750.keytab
switch> kerberos srvtab remote tftp://kerberos/krb5/switch3750.keytab
The relevant switch configs are:
aaa authentication login telnet krb5-telnet
kerberos local-realm D.UMN.EDU
kerberos srvtab entry host/switch3750.d.umn.edu@D.UMN.EDU 1 <numbers> 3
1 8 <looks like crypto key>
kerberos clients mandatory
kerberos server D.UMN.EDU 131.212.60.117
line vty 0 4
login authentication telnet
transport input telnet
line vty 5 15
login authentication telnet
transport input telnet
The clocks look good:
switch> sh clock
16:06:25.945 CDT Wed Mar 24 2010
kerberos% date
Wed Mar 24 16:06:32 CDT 2010
workstation% kinit
workstation% klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mzagrabe@D.UMN.EDU
Valid starting Expires Service principal
03/24/10 16:09:15 03/25/10 02:09:15 krbtgt/D.UMN.EDU@D.UMN.EDU
renew until 03/25/10 16:08:59, Etype (skey, tkt): AES-256 CTS
mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
kerberos# tail -f /var/log/krb5/kdc.log
Mar 24 16:08:59 stout krb5kdc[4756](info): no valid preauth type found:
Success
Mar 24 16:08:59 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
23}) 131.212.60.196: PREAUTH_FAILED: mzagrabe@D.UMN.EDU for
krbtgt/D.UMN.EDU@D.UMN.EDU, Preauthentication failed
Mar 24 16:08:59 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
23}) 131.212.60.196: NEEDED_PREAUTH: mzagrabe@D.UMN.EDU for
krbtgt/D.UMN.EDU@D.UMN.EDU, Additional pre-authentication required
Mar 24 16:09:15 stout krb5kdc[4756](info): AS_REQ (4 etypes {18 17 16
23}) 131.212.60.196: ISSUE: authtime 1269464955, etypes {rep=3D18 tkt=3D18
ses=3D18}, mzagrabe@D.UMN.EDU for krbtgt/D.UMN.EDU@D.UMN.EDU
Now I try to telnet.krb5 to the switch:
workstation% cat .telnetrc
DEFAULT toggle autologin
workstation% telnet.krb5 switch3750
Trying 10.25.1.14...
Will send login name and/or authentication information.
Connected to switch3750.d.umn.edu (10.25.1.14).
Escape character is '^]'.
[ Kerberos V5 refuses authentication ]
kerberos_server_auth: Couldn't authenticate client from
grateful.d.umn.edu.
% Authentication failed
% Authentication failed
Connection closed by foreign host.
So, that is pretty much where I am at. I feel like there is a mismatch
between the different encryption types that all the components use, but
I am uncertain where to debug this.
Thanks,
--=20
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 4096R/42A00942 2009-12-16
Fingerprint: 5814 2CCE 2383 2991 83FF C899 07E2 BFA8 42A0 0942
He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot
--=-xAZT6u3oe+9A3k74GalF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAABAgAGBQJLqoIpAAoJEAfiv6hCoAlC180QAMCcuOkCMFWjboLmVifQbXti
f5V+eFlBQxbux7R2VO3gP35qXtJ9mI0AOEGIQvCjwdpOstXU+yQ5M6DiCzejWEW+
e2elqele0I7epChsrE13gCfJHHqGcue32A7KyArETkjTNUrJscNlxXwQouE0nQj8
Y6JTUsWcJued/MYiV4PuJk3L5P7i9//D0ASg3v9llDKC3pUSFLCTJtrMeSRo0kzZ
i92FgxUvy+KTWgY2eLm09cJPxkNPIeGmegie2EAdKZTdcvSIDgowY3XUjE31wMpP
XBOn9qv7lquaRKxzsivLNdI/2EijaA743UWM7kQKFCeEEX4gb0j92JPMwjMiZwka
9bIm4kTvbgz+er4W3kMP2EzEgdusQE1+qN8SDGPHK8NOtff0jU/NhRDBeJhxycNc
Vazw6jZYCCWEKvVemYo5m2KDWSDgCU88cBYV0sHF54yH1oizTYvCYqKb0C1dVpEF
6LUsgNd1Htx1GYjXW9imIELlp+5c5lOIReAhZP3AjofWKmdehesinekgSAJRd1nA
ptY5sqpg+xDk2uvE0C6CMFbQdwkBnTHZScTg9MTKEOQdcuPbOAHBU2gYY1jAH1Fa
PnkEW3sOsucfEcQUzKs1A81mAQYCUbRWw+qR5f6m6HGdXqrowhu8FNgK0aIC5TKO
1Lyt81yTw6eMHjNwvd3f
=dT9u
-----END PGP SIGNATURE-----
--=-xAZT6u3oe+9A3k74GalF--
--===============1963298885==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1963298885==--