[14524] in Kerberos
Re: Kerberos telnet application that uses Windows 2000 ticket cache
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Fri Jun 1 17:30:17 2001
From: jaltman@watsun.cc.columbia.edu (Jeffrey Altman)
Date: 1 Jun 2001 19:53:44 GMT
Message-ID: <9f8rs8$1qp$1@newsmaster.cc.columbia.edu>
To: kerberos@MIT.EDU
This cannot be easily accomplished because Telnet does not use
an authentication method that can be emulated using the Windows
SSPI. Only protocols that use GSSAPI can use the Windows Kerberos
SSPI directly.
The best that other telnet can do is to read a TGT from the
Microsoft cache, place it into a MIT cache and use the MIT
Kerberos libraries (or an equivalent) to perform the Telnet
authentication and ticket forwarding. Kermit 95 takes this
approach.
http://www.kermit-project.org/k95.html
In article <f29a6579.0106011142.476554d8@posting.google.com>,
Andy Rechenberg <arechenberg@shermfin.com> wrote:
: Does anyone know of a Windows 2000 telnet application that will use
: and forward the 2000 client's Kerberos ticket cache and allow login to
: a kerberized telnet daemon?
:
: I currently have a Linux box configured to obtain Kerberos tickets
: from a Windows 2000 Server KDC. When a Linux user obtains his/her
: tickets using kinit, they can then use Linux telnet (telnet -a -f -x
: myhost.com) to login to a remote Linux host on our network with being
: prompted for any authentication information.
:
: This information would indicate that the tickets that the 2000 KDC
: provides are compatible with the Linux krb5-telnetd. I've also setup
: users in the 2000 Active Directory to only use DES-CBC-CRC encryption
: so that they are compatible with the standard MIT Kerberos encryption
: (not the proprietary HMAC-RC4 2000 encryption).
:
: What I would like to have happen is a user on a Windows 2000 client
: could run a telnet application on the Windows 2000 Professional
: workstation and have the same thing happen (i.e. not prompted for
: authentication info; the app just uses the Kerberos tickets in the
: 2000 client's ticket cache).
:
: If anyone knows of any such telnet application, and could provide a
: URL or some other information about said application, it would be
: greatly appreciated. Also, if anyone has any interest in coding, or
: is currently coding an application such as the one I've described, I
: would gladly provide any assistance I can.
:
: Thanks in advance for your help.
:
: Regards,
: Andy Rechenberg.
: Network Team, Sherman Financial Group.
Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support@kermit-project.org OpenSSL. SSH soon to follow.
