random notes
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4753 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
62
doc/misc.texi
Normal file
62
doc/misc.texi
Normal file
@@ -0,0 +1,62 @@
|
||||
@node Things in search for a better place, Kerberos 4 issues, Setting up a realm, Top
|
||||
@chapter Things in search for a better place
|
||||
|
||||
@section Making things work on Ciscos
|
||||
|
||||
Modern versions of Cisco IOS has some support for authenticating via
|
||||
Kerberos 5. This can be used both to verify passwords via a ticket
|
||||
exchange Kerberos 5 (boring), and to use Kerberos authenticated telnet
|
||||
to access your router (less boring). The following has been tested on
|
||||
IOS 11.2(12), things might be different with other versions. Old
|
||||
versions are known to have bugs.
|
||||
|
||||
To make this work, you will first have to configure your router to use
|
||||
Kerberos (this is explained in the documentation). A sample
|
||||
configuration looks like the following:
|
||||
|
||||
@example
|
||||
aaa new-model
|
||||
aaa authentication login default krb5-telnet krb5 enable
|
||||
aaa authorization exec krb5-instance
|
||||
kerberos local-realm FOO.SE
|
||||
kerberos srvtab entry host/router.foo.se.SE 0 891725446 4 1 8 012345678901234567
|
||||
kerberos server FOO.SE 10.0.0.1
|
||||
kerberos instance map admin 15
|
||||
@end example
|
||||
|
||||
This tells you (among other things) that the when logging in, the router
|
||||
should try to authenticate with kerberized telnet, and if that fails try
|
||||
to verify a plain text password via a Kerberos ticket exchange (as
|
||||
opposed to a local database or RADIUS or something similar), and if that
|
||||
fails try the local enable password. If you're not careful when you
|
||||
specify the `login default' authentication mechanism, you might not be
|
||||
able to login. The `instance map' and `authorization exec' lines says
|
||||
that people with `admin' instances should be given `enabled' shells when
|
||||
logging in.
|
||||
|
||||
To make the Heimdal KDC produce tickets that the Cisco can decode you
|
||||
might have to turn on the @samp{encode_as_rep_as_tgs_rep} flag in the
|
||||
KDC. You will also have to specify that the router can't handle anything
|
||||
but @samp{des-cbc-crc}. There currently isn't an easy way to do
|
||||
this. The best you can do is to dump your database (with @samp{kadmin -l
|
||||
dump}), and change the final dash for your router entry to a one, and
|
||||
then reloading the database (@samp{kadmin -l load}). An example should
|
||||
clarify this. You should have something like (again, truncated):
|
||||
@example
|
||||
host/router.foo.se@@FOO.SE 4:0:1:... - - - - - 126 -
|
||||
@end example
|
||||
Change this to:
|
||||
@example
|
||||
host/router.foo.se@@FOO.SE 4:0:1:... - - - - - 126 1
|
||||
@end example
|
||||
|
||||
This all fine and so, but unless you have an IOS version with encryption
|
||||
(available only in the U.S) it doesn't really solve any problems. Sure
|
||||
you don't have to send your password over the wire, but since the telnet
|
||||
connection isn't protected it's still possible for someone to steal your
|
||||
session. This won't be fixed until someone adds integrity to the telnet
|
||||
protocol.
|
||||
|
||||
A working solution would be to hook up a machine with a real operating
|
||||
system to the console of the Cisco and then use it as a backwards
|
||||
terminal server.
|
||||
Reference in New Issue
Block a user