[14526] in Kerberos
RE: Kerberos telnet application that uses Windows 2000 ticket cache
daemon@ATHENA.MIT.EDU (John Brezak)
Fri Jun 1 22:08:39 2001
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Fri, 1 Jun 2001 19:05:04 -0700
Message-ID: <4AEE3169443CDD4796CA8A00B02191CD4EE6C7@win-msg-01.wingroup.windeploy.ntdev.microsoft.com>
From: "John Brezak" <jbrezak@windows.microsoft.com>
To: "Jeffrey Altman" <jaltman@watsun.cc.columbia.edu>, <kerberos@mit.edu>
Content-Transfer-Encoding: 8bit
You can go to the next step, which would be to request the service
tickets through the win2000 cred cache interfaces. This would mean that
there would be no need to manage the realms or host2realm entries in the
krb5.conf file.
In fact you could create a ccache library that uses just the win2000
ticket cache.
Have a look at the KerbRetrieveEncodedTicket message to the
LsaCallAuthenticationPackage api.
Also the ms2mit.exe shim should be changed to use that api to retrieve a
DES flavor TGT instead of the default that is cached which is usually
rc4-hmac. This is better than setting the DES-only attribute for user
accounts.
> -----Original Message-----
> From: Jeffrey Altman [mailto:jaltman@watsun.cc.columbia.edu]
> Sent: Friday, June 01, 2001 12:54 PM
> To: kerberos@MIT.EDU
> Subject: Re: Kerberos telnet application that uses Windows
> 2000 ticket cache
>
>
> This cannot be easily accomplished because Telnet does not
> use an authentication method that can be emulated using the
> Windows SSPI. Only protocols that use GSSAPI can use the
> Windows Kerberos SSPI directly.
>
> The best that other telnet can do is to read a TGT from the
> Microsoft cache, place it into a MIT cache and use the MIT
> Kerberos libraries (or an equivalent) to perform the Telnet
> authentication and ticket forwarding. Kermit 95 takes this approach.
>
> http://www.kermit-project.org/k95.html
>
>
>
> In article <f29a6579.0106011142.476554d8@posting.google.com>,
> Andy Rechenberg <arechenberg@shermfin.com> wrote:
> : Does anyone know of a Windows 2000 telnet application that will use
> : and forward the 2000 client's Kerberos ticket cache and
> allow login to
> : a kerberized telnet daemon?
> :
> : I currently have a Linux box configured to obtain Kerberos tickets
> : from a Windows 2000 Server KDC. When a Linux user obtains his/her
> : tickets using kinit, they can then use Linux telnet (telnet -a -f -x
> : myhost.com) to login to a remote Linux host on our network
> with being
> : prompted for any authentication information.
> :
> : This information would indicate that the tickets that the 2000 KDC
> : provides are compatible with the Linux krb5-telnetd. I've
> also setup
> : users in the 2000 Active Directory to only use DES-CBC-CRC
> encryption
> : so that they are compatible with the standard MIT Kerberos
> encryption
> : (not the proprietary HMAC-RC4 2000 encryption).
> :
> : What I would like to have happen is a user on a Windows 2000 client
> : could run a telnet application on the Windows 2000 Professional
> : workstation and have the same thing happen (i.e. not prompted for
> : authentication info; the app just uses the Kerberos tickets in the
> : 2000 client's ticket cache).
> :
> : If anyone knows of any such telnet application, and could provide a
> : URL or some other information about said application, it would be
> : greatly appreciated. Also, if anyone has any interest in coding, or
> : is currently coding an application such as the one I've described, I
> : would gladly provide any assistance I can.
> :
> : Thanks in advance for your help.
> :
> : Regards,
> : Andy Rechenberg.
> : Network Team, Sherman Financial Group.
>
>
> Jeffrey Altman * Sr.Software Designer C-Kermit 7.1
> Alpha available
> The Kermit Project @ Columbia University includes Secure
> Telnet and FTP
> http://www.kermit-project.org/ using Kerberos, SRP, and
> kermit-support@kermit-project.org OpenSSL. SSH
> soon to follow.
>
