1233294Sstas@c $Id$ 272445Sassar 3178825Sdfr@node Things in search for a better place, Kerberos 4 issues, Applications, Top 455682Smarkm@chapter Things in search for a better place 555682Smarkm 655682Smarkm@section Making things work on Ciscos 755682Smarkm 855682SmarkmModern versions of Cisco IOS has some support for authenticating via 972445SassarKerberos 5. This can be used both by having the router get a ticket when 1072445Sassaryou login (boring), and by using Kerberos authenticated telnet to access 1172445Sassaryour router (less boring). The following has been tested on IOS 1272445Sassar11.2(12), things might be different with other versions. Old versions 1372445Sassarare known to have bugs. 1455682Smarkm 1555682SmarkmTo make this work, you will first have to configure your router to use 1655682SmarkmKerberos (this is explained in the documentation). A sample 1755682Smarkmconfiguration looks like the following: 1855682Smarkm 1955682Smarkm@example 2055682Smarkmaaa new-model 2155682Smarkmaaa authentication login default krb5-telnet krb5 enable 2255682Smarkmaaa authorization exec krb5-instance 2355682Smarkmkerberos local-realm FOO.SE 2455682Smarkmkerberos srvtab entry host/router.foo.se 0 891725446 4 1 8 012345678901234567 2555682Smarkmkerberos server FOO.SE 10.0.0.1 2655682Smarkmkerberos instance map admin 15 2755682Smarkm@end example 2855682Smarkm 2972445SassarThis tells you (among other things) that when logging in, the router 3072445Sassarshould try to authenticate with kerberised telnet, and if that fails try 3155682Smarkmto verify a plain text password via a Kerberos ticket exchange (as 3272445Sassaropposed to a local database, RADIUS or something similar), and if that 3355682Smarkmfails try the local enable password. If you're not careful when you 3455682Smarkmspecify the `login default' authentication mechanism, you might not be 3572445Sassarable to login at all. The `instance map' and `authorization exec' lines 3672445Sassarsays that people with `admin' instances should be given `enabled' shells 3772445Sassarwhen logging in. 3855682Smarkm 3972445SassarThe numbers after the principal on the `srvtab' line are principal type, 40120945Snectartime stamp (in seconds since 1970), key version number (4), keytype (1 == 4172445Sassardes), key length (always 8 with des), and then the key. 4272445Sassar 4355682SmarkmTo make the Heimdal KDC produce tickets that the Cisco can decode you 4455682Smarkmmight have to turn on the @samp{encode_as_rep_as_tgs_rep} flag in the 4555682SmarkmKDC. You will also have to specify that the router can't handle anything 4672445Sassarbut @samp{des-cbc-crc}. This can be done with the @samp{del_enctype} 4772445Sassarcommand of @samp{kadmin}. 4855682Smarkm 4955682SmarkmThis all fine and so, but unless you have an IOS version with encryption 5055682Smarkm(available only in the U.S) it doesn't really solve any problems. Sure 5155682Smarkmyou don't have to send your password over the wire, but since the telnet 5255682Smarkmconnection isn't protected it's still possible for someone to steal your 5355682Smarkmsession. This won't be fixed until someone adds integrity to the telnet 5455682Smarkmprotocol. 5555682Smarkm 5655682SmarkmA working solution would be to hook up a machine with a real operating 5755682Smarkmsystem to the console of the Cisco and then use it as a backwards 5855682Smarkmterminal server. 59