1@node Things in search for a better place, Kerberos 4 issues, Setting up a realm, Top 2@chapter Things in search for a better place 3 4@section Making things work on Ciscos 5 6Modern versions of Cisco IOS has some support for authenticating via 7Kerberos 5. This can be used both to verify passwords via a ticket 8exchange Kerberos 5 (boring), and to use Kerberos authenticated telnet 9to access your router (less boring). The following has been tested on 10IOS 11.2(12), things might be different with other versions. Old 11versions are known to have bugs. 12 13To make this work, you will first have to configure your router to use 14Kerberos (this is explained in the documentation). A sample 15configuration looks like the following: 16 17@example 18aaa new-model 19aaa authentication login default krb5-telnet krb5 enable 20aaa authorization exec krb5-instance 21kerberos local-realm FOO.SE 22kerberos srvtab entry host/router.foo.se 0 891725446 4 1 8 012345678901234567 23kerberos server FOO.SE 10.0.0.1 24kerberos instance map admin 15 25@end example 26 27This tells you (among other things) that the when logging in, the router 28should try to authenticate with kerberized telnet, and if that fails try 29to verify a plain text password via a Kerberos ticket exchange (as 30opposed to a local database or RADIUS or something similar), and if that 31fails try the local enable password. If you're not careful when you 32specify the `login default' authentication mechanism, you might not be 33able to login. The `instance map' and `authorization exec' lines says 34that people with `admin' instances should be given `enabled' shells when 35logging in. 36 37To make the Heimdal KDC produce tickets that the Cisco can decode you 38might have to turn on the @samp{encode_as_rep_as_tgs_rep} flag in the 39KDC. You will also have to specify that the router can't handle anything 40but @samp{des-cbc-crc}. There currently isn't an easy way to do 41this. The best you can do is to dump your database (with @samp{kadmin -l 42dump}), remove all entries for keys other than @samp{des-cbc-crc}, and 43then reloading the database (@samp{kadmin -l load}). An example should 44clarify this. You should have something like (again, truncated): 45@example 46host/router.foo.se@@FOO.SE 4:0:1:...:-:... - - - - - - - 126 47@end example 48Change this to: 49@example 50host/router.foo.se@@FOO.SE 4:0:1:...:- - - - - - - - 126 51@end example 52 53This all fine and so, but unless you have an IOS version with encryption 54(available only in the U.S) it doesn't really solve any problems. Sure 55you don't have to send your password over the wire, but since the telnet 56connection isn't protected it's still possible for someone to steal your 57session. This won't be fixed until someone adds integrity to the telnet 58protocol. 59 60A working solution would be to hook up a machine with a real operating 61system to the console of the Cisco and then use it as a backwards 62terminal server. 63