[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Heimdal and r* client programs
[ For those that mgiht have seen me post this issue elsewhere, I've
tried the FreeBSD -questions mailing list without reply, so I thought
I'd try on the Heimdal list. ]
Howdy,
I've got a Heimdal Kerberos 5 KDC running (on FreeBSD 4.6) and
apparantly working. It's host 'pluto' and I can get tickets from other
machines from it and I can remotely change passwords using k5passwd
(what FreeBSD calls the heimdal implementation of kpasswd) from host
'athena'. However, the r* commands don't appear to connect to the
Kerberos version of the service. For example:
1. Do I have a ticket?
athena# k5list
Credentials cache: FILE:/tmp/krb5cc_0
Principal: toor@SEEKINGFIRE.PRV
Issued Expires Principal
Aug 2 10:52:34 Aug 2 20:52:34 krbtgt/SEEKINGFIRE.PRV@SEEKINGFIRE.PRV
2. Set up 'tcpdump -n -i tl0 ! port 22' on a Kerberized server and try
to rlogin to it from the machine where I have my ticket. First, does the
server have Kerberized services working? (I've temporarily set up pluto
to do this, though naturally this won't exist this way in production
use).
pluto# grep klogin /etc/inetd.conf
klogind stream tcp nowait root /usr/local/libexec/rlogind rlogind -k
eklogin stream tcp nowait root /usr/local/libexec/rlogind rlogind -k -x
pluto# sockstat -4 | grep inetd
root inetd 85 6 tcp4 *:543 *:*
root inetd 85 7 tcp4 *:2105 *:*
root inetd 85 8 tcp4 *:544 *:*
root inetd 85 9 tcp4 *:514 *:*
root inetd 85 10 tcp4 *:21 *:*
3. Looks good. Let's try the connection using rlogin to hit the 'rlogind
-k -x' service ...
athena# rlogin -x pluto
rlogin: the -x flag requires Kerberos authentication
4. Hmmm. Not good. Ok, lets try it without -x but specifiying the realm
explicitly:
athena# rlogin -k SEEKINGFIRE.PRV pluto
pluto.seekingfire.prv: Connection refused
pluto# tcpdump -n -i tl0 ! port 22
tcpdump: listening on tl0
11:23:06.473509 192.168.23.3.975 > 192.168.23.4.513: S 1685558690:1685558690(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 137733464
+0> (DF)
11:23:06.473600 192.168.23.4.513 > 192.168.23.3.975: R 0:0(0) ack 1685558691 win 0
5. Not good. It's not going to the port for the Kerberos version of
rlogin. Is the version of rlogin that I've using even capable of it?
athena# truss rlogin -k SEEKINGFIRE.PRV pluto
<snip>
access("/usr/lib/libkrb.so.3",0) = 0 (0x0)
open("/usr/lib/libkrb.so.3",0x0,027757775574) = 3 (0x3)
<snip>
6. Looks like it. Ugh. I'm stuck :-)
For the curious, here's more info on the version of rlogin that I'm
using:
athena# uname -a
FreeBSD athena.seekingfire.prv 4.6-STABLE FreeBSD 4.6-STABLE #1: Mon Jul
15 15:54:26 CST 2002
+toor@athena.seekingfire.prv:/usr/obj/usr/src/sys/GENERIC i386
athena# whereis rlogin
rlogin: /usr/bin/rlogin /usr/share/man/man1/rlogin.1.gz
/usr/src/usr.bin/rlogin
athena# ls -l /usr/bin/rlogin
-r-sr-xr-x 1 root wheel 17636 Jul 17 12:20 /usr/bin/rlogin
athena# md5 /usr/bin/rlogin
MD5 (/usr/bin/rlogin) = d8ee52a569e664e6da4a51b9cc13c025
I've also tried rsh from the Heimdal port (from teh FreeBSD ports tree):
athena# /usr/local/bin/rsh --version
rsh (heimdal-0.4e, krb4-1.0)
Copyright (c) 1999-2001 Kungliga Tekniska Högskolan
But that also doesn't seem to work:
athena# /usr/local/bin/rsh pluto
rlogin: warning, using standard rlogin: krcmd: Protocol error (get_in_tkt)
7. I've since discovered FreeBSD's /etc/auth.conf (which is just
_barely_ documented). I've changed the auth_list line to include
kerberos:
auth_list = passwd kerberos
Which, while it doesn't fix things, at least gives me different error
messages :-)
athena# k5list
Credentials cache: FILE:/tmp/krb5cc_0
Principal: toor@SEEKINGFIRE.PRV
Issued Expires Principal
Aug 2 10:52:34 Aug 2 20:52:34 krbtgt/SEEKINGFIRE.PRV@SEEKINGFIRE.PRV
v4-ticket file: /tmp/tkt0
k5list: No ticket file (tf_util)
athena# rlogin -x pluto
rlogin: krcmd_mutual: No ticket file (tf_util)
rlogin: can't provide Kerberos auth data: No such file or directory
rlogin: the -x flag requires Kerberos authentication
Obviously I have a kerberos 5 ticket, though I don't have a v4 one. Is
auth.conf only for v4?
TIA,
- Tillman
--
When you can do nothing what can you do?
- Zen koan