[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Failed Heimdal kerberized telnet/telnetd/login test.

> My objetive is to see the fabulous single sign on of kerberos and also
> getting knowledge about this charming system. Of course using the
> Heimdal distribution.
>
> I installed and configured Heimdal 0.4e on Solaris 8.
>
> I have two big questions one practical and the other theory. I'd like
> to start with the practical question first:
>
> The first one is that I get a invalid password error when I use the
Heimdal
> telnet version:
>
#$HEIMDAL_HOME/bin/telnet CERBERUS
Trying 192.0.0.116...
Connected to CERBERUS.
Escape character is '^]'.

*** Connection not encrypted! Communication may be eavesdropped. ***
login: apatino
Password:
Login incorrect.
login: Login timed out after 60 seconds
Connection closed by foreign host.

>Just to add more info I get the next lines in my log:
Oct 10 18:50:16 CERBERUS kdc[1215]: AS-REQ apatino@CTXFARMS.ARANEA.COM from
IPv4:192.0.0.116 for krbtgt/CTXFARMS.ARANEA.COM@CTXFARMS.ARANEA.COM
Oct 10 18:50:16 CERBERUS kdc[1215]: decrypting 32 bytes with key-id
0xe46b4165 (des3-cbc-sha1)
Oct 10 18:50:16 CERBERUS kdc[1215]: decrypting 16 bytes with key-id
0xe46b4165 (des3-cbc-sha1)
Oct 10 18:50:16 CERBERUS last message repeated 5 times
Oct 10 18:50:16 CERBERUS kdc[1215]: decrypting 32 bytes with key-id
0xe46b4165 (des3-cbc-sha1)
Oct 10 18:50:16 CERBERUS kdc[1215]: Using des3-cbc-sha1/des3-cbc-sha1
Oct 10 18:50:16 CERBERUS kdc[1215]: encrypting 176 bytes with key-id
0xf9d86650 (des3-cbc-sha1)
Oct 10 18:50:16 CERBERUS kdc[1215]: encrypting 224 bytes with key-id
0xd703ac21 (des3-cbc-sha1)
Oct 10 18:50:16 CERBERUS kdc[1215]: sending 631 bytes to IPv4:192.0.0.116
login: decrypting 224 bytes with key-id 0xd703ac21 (des3-cbc-sha1)

> I did the following tasks:
> modify /etc/inetd.conf:
> and comment the original telnet service and add the heimdal version:
> NOte: /usr/local/kerberos is the --prefix value I used in configure
> Just to stress that Im using the Heimdal programs
...
telnet  stream  tcp     nowait  root    /usr/local/kerberos/libexec/telnetd
telnetd -a debug -L  /usr/local/kerberos/bin/login

> Before of this I have tried the following links but I don't see what I'm
doing wrong:

> How to kerberize your site
> http://www.y12doe.gov/~jar/HowToKerb.html
> Heimdal official doc page and man pages
> http://www.pdc.kth.se/heimdal/heimdal.html
> SEAM info from SOLARIS 8
> http://docs.sun.com

> I'll describe rapidly what I did to configure my KDC:
> First Ill be certain that I'm using Heimdal programs and not the Solaris
ones
# pwd
/usr/local/kerberos
> Now I create my master key to authenticate the kdc to itself
# sbin/kstash
Master key:
Verifying password - Master key:
kstash: writing key to `/var/heimdal/m-key'
> Now I create locally my REALM
> and add default principals to heimdal.db database
# sbin/kadmin -l
kadmin> init CTXFARMS.ARANEA.COM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
Seed file = /dev/egd-pool
kadmin: encrypting 32 bytes with key-id 0xe46b4165 (des3-cbc-sha1)
> COMMENT: the previous line repeated.
> Note that the encryption type is (des3-cbc-sha1) Imsuppose that is triple
des
> in cipher block chaining mode with secure hash algorith Please forgiveme
if don't
>
> Now I add admin principals:
kadmin> ank apatino/admin
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
apatino/admin@CTXFARMS.ARANEA.COM's Password:
Verifying password - apatino/admin@CTXFARMS.ARANEA.COM's Password:
kadmin> ank apatino
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
apatino@CTXFARMS.ARANEA.COM's Password:
Verifying password - apatino@CTXFARMS.ARANEA.COM's Password:
kadmin> exit
> Now I start kdc an kadmind services
# libexec/kdc &
[1]     1215
# libexec/kadmind&
> Now I get my TGT from the AS
# bin/kinit -f apatino/admin
apatino/admin@CTXFARMS.ARANEA.COM's Password:
> Please see the line I got from my log Hust to info
Oct 10 18:27:09 CERBERUS kdc[1215]: AS-REQ apatino/admin@CTXFARMS.ARANEA.COM
from IPv4:192.0.0.116 for krbtgt/CTXFARMS.ARANEA.COM@CTXFARMS.ARANEA.COM

> Now I'm gonna add a principal for a service
# sbin/kadmin
> I use random-key option because I won't need to derivate a key from
password
> cause the service never will ask for a password!!
kadmin> ank --random-key host/CERBERUS.CTXFARMS.ARANEA.COM
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
> Now I extract the key to /etc/krb5.keytab
kadmin> ext host/*
kadmin>exit

> And thats it. I don't know if my problem is that I am using the same KDC
machine to
> install principal clients an principal servers. Please tell me if I'm
wrong
>
> But I simply don't get the point
>
> In first instance I don't understand the role of the /etc/krb5.keytab key
tab
> file. I just think that random-keys are stored in the heimdal.db file and
> the keytab file is used to authenticate services... mmmm thats my best
opinion :-)
> Besides I did:
>
> modify etc/inetd.conf:
> comment the original telnet service and add the heimdal version:
...
telnet  stream  tcp     nowait  root    /usr/local/kerberos/libexec/telnetd
telnetd -a debug -L  /usr/local/kerberos/bin/login
...


>Thanks in advance if you just reach the end of this long posting.
>Also I'd like to commit in improve the heimdal doc because I think is
missing a lot
> info to help new users of this marvellos system

Forget my technical questions. I'll post in other messages.

Alberto Patino
jalbertop@aranea.com.mx