Date: Mon, 12 Aug 2002 19:10:01 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-questions@freebsd.org Subject: Heimdal Kerberos and client r* programs [reposted] Message-ID: <20020812191001.I4625@seekingfire.com>
next in thread | raw e-mail | index | archive | help
(I'm reposting this because I've had no responses ... and the list
archive doesn't show my message. I suspect that it got eaten somehow.)
Howdy,
I've got a Heimdal Kerberos 5 KDC running and apparantly working as host
'pluto' (I can get tickets from other machines for it and I can remotely
can passwords using k5passwd from host 'athena'). However, the r*
commands don't appear to connect to the Kerberos version of the service.
For example:
1. Do I have a ticket?
athena# k5list
Credentials cache: FILE:/tmp/krb5cc_0
Principal: toor@SEEKINGFIRE.PRV
Issued Expires Principal
Aug 2 10:52:34 Aug 2 20:52:34 krbtgt/SEEKINGFIRE.PRV@SEEKINGFIRE.PRV
2. Set up 'tcpdump -n -i tl0 ! port 22' on a Kerberized server and try
to rlogin to it from the machine where I have my ticket. First, does the
server have Kerberized services working?
pluto# grep klogin /etc/inetd.conf
klogind stream tcp nowait root /usr/local/libexec/rlogind rlogind -k
eklogin stream tcp nowait root /usr/local/libexec/rlogind rlogind -k -x
pluto# sockstat -4 | grep inetd
root inetd 85 6 tcp4 *:543 *:*
root inetd 85 7 tcp4 *:2105 *:*
root inetd 85 8 tcp4 *:544 *:*
root inetd 85 9 tcp4 *:514 *:*
root inetd 85 10 tcp4 *:21 *:*
3. Looks good. Let's try the connection using rlogin to hit the 'rlogind
-k -x' service ...
athena# rlogin -x pluto
rlogin: the -x flag requires Kerberos authentication
4. Hmmm. Not good. Ok, lets try it without -x but specifiying the realm
explicitly:
athena# rlogin -k SEEKINGFIRE.PRV pluto
pluto.seekingfire.prv: Connection refused
pluto# tcpdump -n -i tl0 ! port 22
tcpdump: listening on tl0
11:23:06.473509 192.168.23.3.975 > 192.168.23.4.513: S 1685558690:1685558690(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 137733464
+0> (DF)
11:23:06.473600 192.168.23.4.513 > 192.168.23.3.975: R 0:0(0) ack 1685558691 win 0
5. Not good. It's not going to the port for the Kerberos version of
rlogin. Is the version of rlogin that I've using even capable of it?
athena# truss rlogin -k SEEKINGFIRE.PRV pluto
<snip>
access("/usr/lib/libkrb.so.3",0) = 0 (0x0)
open("/usr/lib/libkrb.so.3",0x0,027757775574) = 3 (0x3)
<snip>
6. Looks like it. Ugh. I'm stuck :-)
For the curious, here's more info on the version of rlogin that I'm
using:
athena# uname -a
FreeBSD athena.seekingfire.prv 4.6-STABLE FreeBSD 4.6-STABLE #1: Mon Jul
15 15:54:26 CST 2002
+toor@athena.seekingfire.prv:/usr/obj/usr/src/sys/GENERIC i386
athena# whereis rlogin
rlogin: /usr/bin/rlogin /usr/share/man/man1/rlogin.1.gz
/usr/src/usr.bin/rlogin
athena# ls -l /usr/bin/rlogin
-r-sr-xr-x 1 root wheel 17636 Jul 17 12:20 /usr/bin/rlogin
athena# md5 /usr/bin/rlogin
MD5 (/usr/bin/rlogin) = d8ee52a569e664e6da4a51b9cc13c025
TIA for any help that you can provide,
- Tillman
Updating my own post with new information ...
On Fri, Aug 02, 2002 at 11:29:16AM -0600, Tillman Hodgson wrote:
> I've got a Heimdal Kerberos 5 KDC running and apparantly working as
> host
> 'pluto' (I can get tickets from other machines for it and I can
> remotely
> can passwords using k5passwd from host 'athena'). However, the r*
That should say "change passwords", naturally.
> athena# rlogin -x pluto
> rlogin: the -x flag requires Kerberos authentication
>
> 4. Hmmm. Not good.
I've since discovered /etc/auth.conf (which is just _barely_
documented). I've added the line:
auth_list = passwd kerberos
Which, while it doesn't fix things, at least gives me different error
messages :-)
athena# k5list
Credentials cache: FILE:/tmp/krb5cc_0
Principal: toor@SEEKINGFIRE.PRV
Issued Expires Principal
Aug 2 10:52:34 Aug 2 20:52:34 krbtgt/SEEKINGFIRE.PRV@SEEKINGFIRE.PRV
v4-ticket file: /tmp/tkt0
k5list: No ticket file (tf_util)
athena# rlogin -x pluto
rlogin: krcmd_mutual: No ticket file (tf_util)
rlogin: can't provide Kerberos auth data: No such file or directory
rlogin: the -x flag requires Kerberos authentication
Obviously I have a kerberos 5 ticket, though I don't have a v4 one. Is
auth.conf only for v4?
TIA,
- Tillman
--
Always listen to experts. They'll tell you what can't be done and why.
Then do it.
Robert Heinlein
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020812191001.I4625>