1*ebfedea0SLionel Sambuc@c Id 2*ebfedea0SLionel Sambuc@c $NetBSD: misc.texi,v 1.1.1.2 2011/04/14 14:08:08 elric Exp $ 3*ebfedea0SLionel Sambuc 4*ebfedea0SLionel Sambuc@node Things in search for a better place, Kerberos 4 issues, Applications, Top 5*ebfedea0SLionel Sambuc@chapter Things in search for a better place 6*ebfedea0SLionel Sambuc 7*ebfedea0SLionel Sambuc@section Making things work on Ciscos 8*ebfedea0SLionel Sambuc 9*ebfedea0SLionel SambucModern versions of Cisco IOS has some support for authenticating via 10*ebfedea0SLionel SambucKerberos 5. This can be used both by having the router get a ticket when 11*ebfedea0SLionel Sambucyou login (boring), and by using Kerberos authenticated telnet to access 12*ebfedea0SLionel Sambucyour router (less boring). The following has been tested on IOS 13*ebfedea0SLionel Sambuc11.2(12), things might be different with other versions. Old versions 14*ebfedea0SLionel Sambucare known to have bugs. 15*ebfedea0SLionel Sambuc 16*ebfedea0SLionel SambucTo make this work, you will first have to configure your router to use 17*ebfedea0SLionel SambucKerberos (this is explained in the documentation). A sample 18*ebfedea0SLionel Sambucconfiguration looks like the following: 19*ebfedea0SLionel Sambuc 20*ebfedea0SLionel Sambuc@example 21*ebfedea0SLionel Sambucaaa new-model 22*ebfedea0SLionel Sambucaaa authentication login default krb5-telnet krb5 enable 23*ebfedea0SLionel Sambucaaa authorization exec krb5-instance 24*ebfedea0SLionel Sambuckerberos local-realm FOO.SE 25*ebfedea0SLionel Sambuckerberos srvtab entry host/router.foo.se 0 891725446 4 1 8 012345678901234567 26*ebfedea0SLionel Sambuckerberos server FOO.SE 10.0.0.1 27*ebfedea0SLionel Sambuckerberos instance map admin 15 28*ebfedea0SLionel Sambuc@end example 29*ebfedea0SLionel Sambuc 30*ebfedea0SLionel SambucThis tells you (among other things) that when logging in, the router 31*ebfedea0SLionel Sambucshould try to authenticate with kerberised telnet, and if that fails try 32*ebfedea0SLionel Sambucto verify a plain text password via a Kerberos ticket exchange (as 33*ebfedea0SLionel Sambucopposed to a local database, RADIUS or something similar), and if that 34*ebfedea0SLionel Sambucfails try the local enable password. If you're not careful when you 35*ebfedea0SLionel Sambucspecify the `login default' authentication mechanism, you might not be 36*ebfedea0SLionel Sambucable to login at all. The `instance map' and `authorization exec' lines 37*ebfedea0SLionel Sambucsays that people with `admin' instances should be given `enabled' shells 38*ebfedea0SLionel Sambucwhen logging in. 39*ebfedea0SLionel Sambuc 40*ebfedea0SLionel SambucThe numbers after the principal on the `srvtab' line are principal type, 41*ebfedea0SLionel Sambuctime stamp (in seconds since 1970), key version number (4), keytype (1 == 42*ebfedea0SLionel Sambucdes), key length (always 8 with des), and then the key. 43*ebfedea0SLionel Sambuc 44*ebfedea0SLionel SambucTo make the Heimdal KDC produce tickets that the Cisco can decode you 45*ebfedea0SLionel Sambucmight have to turn on the @samp{encode_as_rep_as_tgs_rep} flag in the 46*ebfedea0SLionel SambucKDC. You will also have to specify that the router can't handle anything 47*ebfedea0SLionel Sambucbut @samp{des-cbc-crc}. This can be done with the @samp{del_enctype} 48*ebfedea0SLionel Sambuccommand of @samp{kadmin}. 49*ebfedea0SLionel Sambuc 50*ebfedea0SLionel SambucThis all fine and so, but unless you have an IOS version with encryption 51*ebfedea0SLionel Sambuc(available only in the U.S) it doesn't really solve any problems. Sure 52*ebfedea0SLionel Sambucyou don't have to send your password over the wire, but since the telnet 53*ebfedea0SLionel Sambucconnection isn't protected it's still possible for someone to steal your 54*ebfedea0SLionel Sambucsession. This won't be fixed until someone adds integrity to the telnet 55*ebfedea0SLionel Sambucprotocol. 56*ebfedea0SLionel Sambuc 57*ebfedea0SLionel SambucA working solution would be to hook up a machine with a real operating 58*ebfedea0SLionel Sambucsystem to the console of the Cisco and then use it as a backwards 59*ebfedea0SLionel Sambucterminal server. 60