From owner-freebsd-net@FreeBSD.ORG  Wed Aug 13 15:03:36 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6085437B401; Wed, 13 Aug 2003 15:03:36 -0700 (PDT)
Received: from corbulon.video-collage.com (corbulon.video-collage.com
	[64.35.99.179])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8EBCC43F85; Wed, 13 Aug 2003 15:03:35 -0700 (PDT)
	(envelope-from mi+mx@aldan.algebra.com)
Received: from mteterin.us.murex.com (250-217.customer.cloud9.net
	[168.100.250.217])h7DM3PEt011549
	(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL);
	Wed, 13 Aug 2003 18:03:29 -0400 (EDT)
	(envelope-from mi+mx@aldan.algebra.com)
From: Mikhail Teterin <mi+mx@aldan.algebra.com>
Organization: Virtual Estates, Inc.
To: net@FreeBSD.org, questions@FreeBSD.org
Date: Wed, 13 Aug 2003 18:04:02 -0400
User-Agent: KMail/1.5.1
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200308131804.02367@misha-mx.virtual-estates.net>
X-Scanned-By: MIMEDefang 2.21 (www . roaringpenguin . com / mimedefang)
Subject: troubles telnet-ing with Kerberos 
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Aug 2003 22:03:36 -0000

Hello!

I'm trying to make the FreeBSD 5.x machine accept users based on
Kerberos' tickets.

The telnet and telnetd seem like the most functional pair for this
excercise. (rlogin's man page documents Kerberos options, but they
are not implemented, it seems).

The KDC is a Win2K server (with Active Directory), but, according
to tcpdump, nothing talks to it during the (failing) authentication
attempt. After adding ``-a debug -edebug -D report'' to telnetd,
I get the following, when trying to telnet to the host:

telnet tool
Trying 172.21.128.30...
Connected to tool.us.example.com.
Escape character is '^]'.
td: send do AUTHENTICATION
td: ttloop
[ Trying mutual KERBEROS5 (host/tool.us.example.com@US.EXAMPLE.COM)... ]
td: ttloop read 36 chars
td: recv will AUTHENTICATION
td: send suboption AUTHENTICATION SEND KERBEROS_V5 CLIENT|MUTUAL KERBEROS_V5 
CLIENT|ONE-WAY SRA CLIENT|ONE-WAY 
td: recv do ENCRYPT
td: send will ENCRYPT
td: recv will ENCRYPT
td: send do ENCRYPT
td: send suboption ENCRYPT SUPPORT DES_CFB64 DES_OFB64 
td: recv do SUPPRESS GO AHEAD
td: send will SUPPRESS GO AHEAD
td: recv will TERMINAL TYPE
td: send do TERMINAL TYPE
td: recv will NAWS
td: send do NAWS
td: recv will TSPEED
td: send do TSPEED
td: recv will LFLOW
td: send do LFLOW
td: recv will LINEMODE
td: send do LINEMODE
td: recv will NEW-ENVIRON
td: send do NEW-ENVIRON
td: recv do STATUS
td: send will STATUS
td: recv will XDISPLOC
td: send do XDISPLOC
td: ttloop
td: ttloop read 1024 chars
td: recv suboption AUTHENTICATION NAME "mteterin"
td: ttloop
td: ttloop read 332 chars
td: recv suboption (terminated by (null) 59, not IAC SE!) AUTHENTICATION IS 
KERBEROS_V5 CLIENT|MUTUAL AUTH 110 130 4 220 48 130 4 216 160 3 2 1 5 161 3 2 
1 14 162 7 3 5 0 32 0 0 0 163 130 4 40 97 130 4 36 48 130 4 32 160 3 2 1 5 
161 14 27 12 85 83 46 77 85 82 69 88 46 67 79 77 162 36 48 34 160 3 2 1 1 161 
27 48 25 27 4 104 111 115 116 27 17 116 111 111 108 46 117 115 46 109 117 114 
101 120 46 99 111 109 163 130 3 225 48 130 3 221 160 3 2 1 1 162 130 3 212 4 
130 3 208 114 111 28 194 170 137 87 79 194 167 232 10 63 130 209 101 174 124 
75 197 43 114 188 113 63 64 10 128 64 197 195 141 15 19 2 223 182 93 144
td: recv suboption ENCRYPT REQUEST-START
td: recv suboption ENCRYPT SUPPORT DES_CFB64 DES_OFB64 
td: recv suboption NAWS 0 140 (140) 0 47 (47)
td: recv suboption LINEMODE SLC SYNCH DEFAULT 0; IP VARIABLE|FLUSHIN|FLUSHOUT 
3; AO VARIABLE 15; AYT VARIABLE 20; ABORT VARIABLE|FLUSHIN|FLUSHOUT 28; EOF 
VARIABLE 4; SUSP VARIABLE|FLUSHIN 26; EC VARIABLE 8; EL VARIABLE 21; EW 
VARIABLE 23; RP VARIABLE 18; LNEXT VARIABLE 22; XON VARIABLE 17; XOFF 
VARIABLE 19; FORW1 NOSUPPORT 255; FORW2 NOSUPPORT 255;
td: recv do SUPPRESS GO AHEAD
td: ttloop
[... Waits about a minute ...]
>>>TELNETD: I support auth type 2 2
>>>TELNETD: I support auth type 2 0
>>>TELNETD: I support auth type 6 0
>>>TELNETD: I will support DES_CFB64
>>>TELNETD: I will support DES_OFB64
>>>TELNETD: Sending type 2 2
>>>TELNETD: Sending type 2 0
>>>TELNETD: Sending type 6 0
>>>TELNETD: in auth_wait.
>>>TELNETD: Got NAME [mteterin]
>>>REPLY:2: [1] (47) 52 65 61 64 20 72 65 71 20 66 61 69 6c 65 64 3a
Read req failed: ASN.1 badly-formatted encoding
>>>TELNETD: He is supporting DES_CFB64 (1)
>>>TELNETD: He is supporting DES_OFB64 (2)
>>>TELNETD: (*ep->start)() returned 7

Because the KDC is a Windows machine, we had to add

	default_etypes = des-cbc-crc
	default_etypes_des = des-cbc-crc

to the krb5.conf's libdefaults section on all machines. Not sure if this
is the reason for the problem :-( -- there is an unaswered complaint
about the same trouble at

	http://www.geocrawler.com/archives/3/165/2002/8/250/9205461/

where the KDC was hosted on a NetBSD server...

Any ideas? Thanks!

	-mi