Good day!
I'm trying to configure a cisco router (7206 12.2) to use krb5-telnet as the default authentication however I bumped into the following problems:
On kdc:
encode_as_rep_as_tgs_rep = true (krb5.conf {kdc})
del_enctype host/our.router {all except des-cbc-crc }
On router:
#conf t
#aaa new-model
#aaa authentication login default krb5-telnet krb5 group radius local
#kerberos local-realm OUR.REALM
#kerberos srvtab entry remote 10.10.10.1 /tftp/krb5.keytab
And I got:
Loading /tftp/krb5.keytab from 10.10...
[OK - 71 bytes]
truncated srvtab!... Discarding
Failed to retrieve srvtab from tftp://10.10
1 1 8
And if I don't delete other etypes I got:
Loading /tftp/krb5.keytab from 10.10....
[OK - 209 bytes]
No principals in srvtab! Discarding...
Failed to retrieve srvtab from tftp://..!
..
1
3 8
However when looked into my running config using sho run I can see that the
host/our.router@OUR.REALM has been created
On des-cbc-crc encryption srvtab:
the timestamp is followed by these numbers (1 1 8 ) which means that indeed it uses des...
While the other srvtab has (1 3 8)
On both cases:
When I try telneting to our.router:
#telnet our.router
[ Trying mutual KERBEROS5 (host/our.router@OUR.REALM)... ]
*** Connection not encrypted! Communication may be eavesdropped. ***
Server refused to negotiate encryption.
##
It failed....
If I don't remove all encryption types for that host principal, the router doesn't throw any "Truncated" error.. however the same "Server refused to negotiate encrypt!
ion"
error occurs..
Any idea where I might went wrong??
Also, telnet(1) on freebsd6.0 defaults to turning on of encryption of the data stream if possible but I couldn't turn it off when passing -y as an argument to telnet... And I couldn't even use the telnet client anymore even if I turn the default authentication method back to (not krb5-telnet)
That's all for now... thanks!!