[32235] in Kerberos
Re: kerberized telnet
daemon@ATHENA.MIT.EDU (Matt Zagrabelny)
Fri Apr 2 16:00:22 2010
From: Matt Zagrabelny <mzagrabe@d.umn.edu>
To: Marcus Watts <mdw@umich.edu>
In-Reply-To: <E1NxmDh-00048v-Dt@bruson.ifs.umich.edu>
Date: Fri, 02 Apr 2010 14:58:02 -0500
Message-ID: <1270238282.4868.1867.camel@grateful.d.umn.edu>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============1455244267=="
Errors-To: kerberos-bounces@mit.edu
--===============1455244267==
Content-Type: multipart/signed; micalg="pgp-sha1";
protocol="application/pgp-signature";
boundary="=-mTmR9oWRkdewoSq+EMtk"
--=-mTmR9oWRkdewoSq+EMtk
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Thanks for the quick response Marcus, comments inline.
On Fri, 2010-04-02 at 15:07 -0400, Marcus Watts wrote:
> > Date: Fri, 02 Apr 2010 13:33:26 CDT
> > To: kerberos <kerberos@mit.edu>
> > From: Matt Zagrabelny <mzagrabe@d.umn.edu>
> > Subject: kerberized telnet
> >=20
> > Greetings,
> >=20
> > I am trying to debug a Kerberos setup with a MIT KDC/TGS and Cisco
> > Catalyst 3750. Things are progressing, but I've hit a wall.
> >=20
> > Here is what I perform on my workstation:
> >=20
> > $ kinit
> > $ telnet kplz354s2
> > Trying 10.25.1.14...
> > Will send login name and/or authentication information.
> > Connected to kplz354s2.d.umn.edu (10.25.1.14).
> > Escape character is '^]'.
> > [ Kerberos V5 accepts you as ``mzagrabe@D.UMN.EDU'' ]
> >=20
> > % Authentication failed
> > Connection closed by foreign host.
> ...
>=20
> The message "Kerberos V5 accepts" comes from your local telnet client.
> It means that at some basic level kerberos 5 negotiation succeeded with
> the telnet server.
>=20
> There's an "authdebug" option you can set.
> You can probably get more debug output using:
> $ telnet
> telnet> set authdebug
> telnet> open kplz354s2
> ...
telnet> set authdebug
auth debugging enabled
telnet> open kplz354s2
Trying 10.25.1.14...
Will send login name and/or authentication information.
Connected to kplz354s2.d.umn.edu (10.25.1.14).
Escape character is '^]'.
>>>TELNET: I support auth type 2 6
>>>TELNET: I support auth type 2 2
>>>TELNET: I support auth type 2 0
>>>TELNET: auth_send got: 02 02 02 00
>>>TELNET: He supports 2
>>>TELNET: Trying 2 2
telnet: calling krb5_sname_to_principal
telnet: done calling
krb5_sname_to_principal
>>>IS:0: [0] (448) 6e 82 01 bc 30 82 01 b8 a0 03 02 01 05 a1 03 02
telnet: Sent Kerberos V5 credentials to server
>>>TELNET: Using type 2
[ Kerberos V5 accepts you as ``mzagrabe@D.UMN.EDU'' ]
% Authentication failed
Connection closed by foreign host.
> use "set ?" to see what else you can do - there are additional debugging
> options. If you have something else for which you can successfully do
> kerberos authentication, you should compare the results.
>=20
> Off-hand, I wonder what encryption types you have. You might want to
> check encryption types in the kdc logs, & encryption types and flags on
> the various principals involved.
Apr 02 11:33:37 stout krb5kdc[27785](info): no valid preauth type found:
Success
Apr 02 11:33:37 stout krb5kdc[27785](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 131.212.60.196: PREAUTH_FAILED: mzagrabe@D.UMN.EDU for
krbtgt/D.UMN.EDU@D.UMN.EDU, Preauthentication failed
Apr 02 11:33:37 stout krb5kdc[27785](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 131.212.60.196: NEEDED_PREAUTH: mzagrabe@D.UMN.EDU for
krbtgt/D.UMN.EDU@D.UMN.EDU, Additional pre-authentication required
Apr 02 11:33:43 stout krb5kdc[27785](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 131.212.60.196: ISSUE: authtime 1270226023, etypes {rep=3D1
tkt=3D18 ses=3D18}, mzagrabe@D.UMN.EDU for krbtgt/D.UMN.EDU@D.UMN.EDU
Apr 02 11:33:46 stout krb5kdc[27785](info): TGS_REQ (1 etypes {1})
131.212.60.196: ISSUE: authtime 1270226023, etypes {rep=3D18 tkt=3D1 ses=3D=
1},
mzagrabe@D.UMN.EDU for host/kplz354s2.d.umn.edu@D.UMN.EDU
kadmin.local: getprinc mzagrabe
Principal: mzagrabe@D.UMN.EDU
Expiration date: [never]
Last password change: Tue Mar 30 19:46:41 CDT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Apr 02 11:15:21 CDT 2010 (root/admin@D.UMN.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 3, DES cbc mode with CRC-32, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin.local: getprinc host/kplz354s2.d.umn.edu@D.UMN.EDU
Principal: host/kplz354s2.d.umn.edu@D.UMN.EDU
Expiration date: [never]
Last password change: Wed Mar 31 14:06:07 CDT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Apr 02 11:16:49 CDT 2010 (root/admin@D.UMN.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 3, DES cbc mode with CRC-32, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
> klist -fea may also be interesting.
$ klist -fea
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mzagrabe@D.UMN.EDU
Valid starting Expires Service principal
04/02/10 11:33:43 04/02/10 21:33:43 krbtgt/D.UMN.EDU@D.UMN.EDU
renew until 04/03/10 11:33:37, Flags: FPRIA
Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC,
AES-256 CTS mode with 96-bit SHA-1 HMAC=20
Addresses: (none)
04/02/10 11:33:46 04/02/10 21:33:43 host/kplz354s2.d.umn.edu@D.UMN.EDU
renew until 04/03/10 11:33:37, Flags: FPRAT
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
CRC-32=20
Addresses: (none)
> If the string you rightfully didn't show us is really a srvtab, the
> service principal you gave to the cisco must not have any non-des key
> types in the kdc.
Why do you say that? (ie. I'm not following this last statement)
--=20
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 4096R/42A00942 2009-12-16
Fingerprint: 5814 2CCE 2383 2991 83FF C899 07E2 BFA8 42A0 0942
He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot
--=-mTmR9oWRkdewoSq+EMtk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAABAgAGBQJLtkxKAAoJEAfiv6hCoAlCPR0QAKX4+L3Ulu8hL30FSwAtYKov
96Lm61r2wOwvXA/jfR6s37NOcz2uY1pm4U9Cgzg6WR+PWoC73dU5E7KKGZLq6jVd
P0r5AhidkaY3REXdZmOtLh5xsCTV9nSSea3BkFi1WwhyGCstCgTf6r60h6Awwysh
rDWXScbkVZJ8i9pWkjI/61ORjpF3+DfAcpHehcnG4PPje1wrnWs9DtmcsGXg1glo
6z6hovDvqZ27PGuDzgx4+drlTQSSfGheB1z9hEAptXqZtF1WU5o8FGOiLNM8BjHS
R9GxvHG0QumU2gWHZA6/0dP1WcSwKZzw6MolLFCbisvjuNJK9Qu4azIUrq1IIKLi
tLP3rubxX+s+aqPG9yxcBLVMmrUPmpYMT+T1999lxQouTvJ/uU7/F5SBmldo7KqR
2XwJbgHDvCQ148mIW8NB3Ih5qWjuUMcOFGcTuAzwPzyhJk6AypVkk/Jm3rxLgvLc
S6+QJ8P2+G7Rk7QL8vQ1ob98Ajosk4KPJAR1kRd8I5D5WYi/TNpxN6OuqvBHpt5h
t6Z6lFDv9HQktSt4JoQpqJYNA03kOe/tZzBsib4JCt2GGu2lNEWhSkIUL8Kc+AvS
+jtp0/XFl4d1z+hnLNBwb4BGi5a/KEPlV7OOvubj39K4HCAlISI+3VZ9kBJHpF5J
zGMwB3pNJOR6mwrC9RYn
=tTMU
-----END PGP SIGNATURE-----
--=-mTmR9oWRkdewoSq+EMtk--
--===============1455244267==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1455244267==--
