1*ae771770SStanislav Sedov@c $Id$ 25e9cd1aeSAssar Westerlund 3c19800e8SDoug Rabson@node Things in search for a better place, Kerberos 4 issues, Applications, Top 4b528cefcSMark Murray@chapter Things in search for a better place 5b528cefcSMark Murray 6b528cefcSMark Murray@section Making things work on Ciscos 7b528cefcSMark Murray 8b528cefcSMark MurrayModern versions of Cisco IOS has some support for authenticating via 95e9cd1aeSAssar WesterlundKerberos 5. This can be used both by having the router get a ticket when 105e9cd1aeSAssar Westerlundyou login (boring), and by using Kerberos authenticated telnet to access 115e9cd1aeSAssar Westerlundyour router (less boring). The following has been tested on IOS 125e9cd1aeSAssar Westerlund11.2(12), things might be different with other versions. Old versions 135e9cd1aeSAssar Westerlundare known to have bugs. 14b528cefcSMark Murray 15b528cefcSMark MurrayTo make this work, you will first have to configure your router to use 16b528cefcSMark MurrayKerberos (this is explained in the documentation). A sample 17b528cefcSMark Murrayconfiguration looks like the following: 18b528cefcSMark Murray 19b528cefcSMark Murray@example 20b528cefcSMark Murrayaaa new-model 21b528cefcSMark Murrayaaa authentication login default krb5-telnet krb5 enable 22b528cefcSMark Murrayaaa authorization exec krb5-instance 23b528cefcSMark Murraykerberos local-realm FOO.SE 24b528cefcSMark Murraykerberos srvtab entry host/router.foo.se 0 891725446 4 1 8 012345678901234567 25b528cefcSMark Murraykerberos server FOO.SE 10.0.0.1 26b528cefcSMark Murraykerberos instance map admin 15 27b528cefcSMark Murray@end example 28b528cefcSMark Murray 295e9cd1aeSAssar WesterlundThis tells you (among other things) that when logging in, the router 305e9cd1aeSAssar Westerlundshould try to authenticate with kerberised telnet, and if that fails try 31b528cefcSMark Murrayto verify a plain text password via a Kerberos ticket exchange (as 325e9cd1aeSAssar Westerlundopposed to a local database, RADIUS or something similar), and if that 33b528cefcSMark Murrayfails try the local enable password. If you're not careful when you 34b528cefcSMark Murrayspecify the `login default' authentication mechanism, you might not be 355e9cd1aeSAssar Westerlundable to login at all. The `instance map' and `authorization exec' lines 365e9cd1aeSAssar Westerlundsays that people with `admin' instances should be given `enabled' shells 375e9cd1aeSAssar Westerlundwhen logging in. 385e9cd1aeSAssar Westerlund 395e9cd1aeSAssar WesterlundThe numbers after the principal on the `srvtab' line are principal type, 405e9cd1aeSAssar Westerlundtime stamp (in seconds since 1970), key version number (4), keytype (1 == 415e9cd1aeSAssar Westerlunddes), key length (always 8 with des), and then the key. 42b528cefcSMark Murray 43b528cefcSMark MurrayTo make the Heimdal KDC produce tickets that the Cisco can decode you 44b528cefcSMark Murraymight have to turn on the @samp{encode_as_rep_as_tgs_rep} flag in the 45b528cefcSMark MurrayKDC. You will also have to specify that the router can't handle anything 465e9cd1aeSAssar Westerlundbut @samp{des-cbc-crc}. This can be done with the @samp{del_enctype} 475e9cd1aeSAssar Westerlundcommand of @samp{kadmin}. 48b528cefcSMark Murray 49b528cefcSMark MurrayThis all fine and so, but unless you have an IOS version with encryption 50b528cefcSMark Murray(available only in the U.S) it doesn't really solve any problems. Sure 51b528cefcSMark Murrayyou don't have to send your password over the wire, but since the telnet 52b528cefcSMark Murrayconnection isn't protected it's still possible for someone to steal your 53b528cefcSMark Murraysession. This won't be fixed until someone adds integrity to the telnet 54b528cefcSMark Murrayprotocol. 55b528cefcSMark Murray 56b528cefcSMark MurrayA working solution would be to hook up a machine with a real operating 57b528cefcSMark Murraysystem to the console of the Cisco and then use it as a backwards 58b528cefcSMark Murrayterminal server. 59