[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Kerberos 5 PAM module/heimdal telnet problem

Hi Stephan.
>Stephan Siano wrote:

>Maybe you don't have all the necessary principals or keytabs.
Well let me tell you that after many unsucessful tries,at least I have
a better understandig on how master keys and session keys are related,
well from a high level point of view, of course. .:-)

I think that the keytab file is not the problem, because I did have had
this kind of problem, but I can track this error message. I have
insisted, but I get the same error of Invalid login.
(Of course I'm sure I'm using the principal name and the password I
created with kadmin...)

After test with heimdal kerberized telnet and Solaris krb5_pam module I
got the same problem. Invalid login, but I find something very interesting
tracking debug messages on /var/adm/messages:
pam_krb5 is using the encrypted type (des-cbc-md5) and the heimdal kdc
is using (des-cbc-sha1). So I think this is related with my problem.
By the other way, actually I dont't know which encryption types are
being used by the kerberized heimdal telnet programs. But I think that
they are using a different encryption type. So finally I'd like to know
tthe way to know what encrption types are being used.

>To log on with the pam_krb5-module you need two principals, one for the
>user and one for the host (username@YOUR.REALM and
>host/your.host.name@YOUR.REALM). The key for username@YOUR.REALM is the
>password, the key for host/your.host.name@YOUR.REALM should be in the
>keytab file of your.host.name).
Of course, this is the master key generated with the --random-key option
of the add command for the service.
>To use a kerberberized service (e.g. telnet), you will need two other
>principals: host/other.host.name@YOUR.REALM and
>telnet/other.host.name@YOUR.REALM. The keys for those two principals
>have to be in the keytab file of other.host.name (the file must be
>readable by the telnet daemon!)
Yes, but in mi case I want to test with the same machine so
your.host.name = othe.host.name.
>To debug the whole stuff, you should use the klist-command.
>After a logon with the pam_krb5 module you should have (at least) the
>following tickets in your credential cache (that's the stuff you list
>with the klist command) the ticket granting ticket
>krbtgt/YOUR.REALM@YOUR.REALM and the host ticket
>host/your.host.name@YOUR.REALM. After you issue a kerberized telnet
>command, you sould get another ticket for the telnet service
>telnet/other.host.name@YOUR.REALM. If you don't have this ticket and the
>connection fails, the problem is a missing principal or in the client
>configuration, if you get all these tickets and you still can't use
>telnet, the problem is the configuration of the telnet server (maybe the
>telnetd is on kerberized or the keytab file is incomplet, missing or not
>readable by the telnetd).

>I hope, this helps.

Of course: Thanks A lot.

Alberto Patino

Alberto Patino