Date: Wed, 13 Aug 2003 18:04:02 -0400 From: Mikhail Teterin <mi+mx@aldan.algebra.com> To: net@FreeBSD.org, questions@FreeBSD.org Subject: troubles telnet-ing with Kerberos Message-ID: <200308131804.02367@misha-mx.virtual-estates.net>
next in thread | raw e-mail | index | archive | help
Hello! I'm trying to make the FreeBSD 5.x machine accept users based on Kerberos' tickets. The telnet and telnetd seem like the most functional pair for this excercise. (rlogin's man page documents Kerberos options, but they are not implemented, it seems). The KDC is a Win2K server (with Active Directory), but, according to tcpdump, nothing talks to it during the (failing) authentication attempt. After adding ``-a debug -edebug -D report'' to telnetd, I get the following, when trying to telnet to the host: telnet tool Trying 172.21.128.30... Connected to tool.us.example.com. Escape character is '^]'. td: send do AUTHENTICATION td: ttloop [ Trying mutual KERBEROS5 (host/tool.us.example.com@US.EXAMPLE.COM)... ] td: ttloop read 36 chars td: recv will AUTHENTICATION td: send suboption AUTHENTICATION SEND KERBEROS_V5 CLIENT|MUTUAL KERBEROS_V5 CLIENT|ONE-WAY SRA CLIENT|ONE-WAY td: recv do ENCRYPT td: send will ENCRYPT td: recv will ENCRYPT td: send do ENCRYPT td: send suboption ENCRYPT SUPPORT DES_CFB64 DES_OFB64 td: recv do SUPPRESS GO AHEAD td: send will SUPPRESS GO AHEAD td: recv will TERMINAL TYPE td: send do TERMINAL TYPE td: recv will NAWS td: send do NAWS td: recv will TSPEED td: send do TSPEED td: recv will LFLOW td: send do LFLOW td: recv will LINEMODE td: send do LINEMODE td: recv will NEW-ENVIRON td: send do NEW-ENVIRON td: recv do STATUS td: send will STATUS td: recv will XDISPLOC td: send do XDISPLOC td: ttloop td: ttloop read 1024 chars td: recv suboption AUTHENTICATION NAME "mteterin" td: ttloop td: ttloop read 332 chars td: recv suboption (terminated by (null) 59, not IAC SE!) AUTHENTICATION IS KERBEROS_V5 CLIENT|MUTUAL AUTH 110 130 4 220 48 130 4 216 160 3 2 1 5 161 3 2 1 14 162 7 3 5 0 32 0 0 0 163 130 4 40 97 130 4 36 48 130 4 32 160 3 2 1 5 161 14 27 12 85 83 46 77 85 82 69 88 46 67 79 77 162 36 48 34 160 3 2 1 1 161 27 48 25 27 4 104 111 115 116 27 17 116 111 111 108 46 117 115 46 109 117 114 101 120 46 99 111 109 163 130 3 225 48 130 3 221 160 3 2 1 1 162 130 3 212 4 130 3 208 114 111 28 194 170 137 87 79 194 167 232 10 63 130 209 101 174 124 75 197 43 114 188 113 63 64 10 128 64 197 195 141 15 19 2 223 182 93 144 td: recv suboption ENCRYPT REQUEST-START td: recv suboption ENCRYPT SUPPORT DES_CFB64 DES_OFB64 td: recv suboption NAWS 0 140 (140) 0 47 (47) td: recv suboption LINEMODE SLC SYNCH DEFAULT 0; IP VARIABLE|FLUSHIN|FLUSHOUT 3; AO VARIABLE 15; AYT VARIABLE 20; ABORT VARIABLE|FLUSHIN|FLUSHOUT 28; EOF VARIABLE 4; SUSP VARIABLE|FLUSHIN 26; EC VARIABLE 8; EL VARIABLE 21; EW VARIABLE 23; RP VARIABLE 18; LNEXT VARIABLE 22; XON VARIABLE 17; XOFF VARIABLE 19; FORW1 NOSUPPORT 255; FORW2 NOSUPPORT 255; td: recv do SUPPRESS GO AHEAD td: ttloop [... Waits about a minute ...] >>>TELNETD: I support auth type 2 2 >>>TELNETD: I support auth type 2 0 >>>TELNETD: I support auth type 6 0 >>>TELNETD: I will support DES_CFB64 >>>TELNETD: I will support DES_OFB64 >>>TELNETD: Sending type 2 2 >>>TELNETD: Sending type 2 0 >>>TELNETD: Sending type 6 0 >>>TELNETD: in auth_wait. >>>TELNETD: Got NAME [mteterin] >>>REPLY:2: [1] (47) 52 65 61 64 20 72 65 71 20 66 61 69 6c 65 64 3a Read req failed: ASN.1 badly-formatted encoding >>>TELNETD: He is supporting DES_CFB64 (1) >>>TELNETD: He is supporting DES_OFB64 (2) >>>TELNETD: (*ep->start)() returned 7 Because the KDC is a Windows machine, we had to add default_etypes = des-cbc-crc default_etypes_des = des-cbc-crc to the krb5.conf's libdefaults section on all machines. Not sure if this is the reason for the problem :-( -- there is an unaswered complaint about the same trouble at http://www.geocrawler.com/archives/3/165/2002/8/250/9205461/ where the KDC was hosted on a NetBSD server... Any ideas? Thanks! -mi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308131804.02367>