| Author |
Message |
Guest
|
 Posted:
Thu Oct 27, 2005 12:50 pm Post subject:
Kerberos V5 Authentication for a Telnet Session |
|
|
Here is what i want to do. I want to establish a telnet connection from
a client to a server. The authentication mechanism that i want to use
for telnet connection is kerberos v5.
What I Have Done So Far:
I have setup two virtual machines (both windows 2003 server enterprise
edition) on VMWare. I have made one of them a server (a domain
controller) and other a client. On the server, i
have installed Active Directory. On the server i registered a new user
in active directory. Using this user i can log in to the domain from
clients machine. Now, from the clients machine, when i try to connect
to the server using the windows builtin telnet client, the login
attempt fails. The message that is displayed on the console is "Failure
in initializing the telnet session. Shell process may not have been
launched.". In the server event viewer, there is an error saying "Error
in creating CMD proces. System Error: Access is denied.". After
searching the internet, i found out a couple of proposed solutions for
the first error. One of them was for win xp 64 bit edition. Tried it
but no avail. The 2nd
one said to make sure that Secondary Logon service is running. Tried
that too but no affect at all. If i unset NTLM auth from the client
side then it simply asks me to enter user name and password. Obviously
this is not what i want. I want the user to be authenticated by means
of kerberos v5 protocol. So now i am wondering how can i make kerberos
v5 authentication to work with telnet. Any help would be highly
appreciated.
Thanks,
sarshah |
|
| Back to top |
|
 |
Eric Denekamp
Guest
|
| Posted:
Thu Oct 27, 2005 12:51 pm Post subject:
Re: Kerberos V5 Authentication for a Telnet Session |
|
|
afaik, this is not possible by default. I heard about some organisations
who have done this by reprogramming the telnet service and the telnet client.
So if I am correct, you have to dig into Visual Studio .NEt and the platform
SDK to accomplish this.
too bad though, you are not the only one to want this.
good luck,
Eric Denekamp
mailto:ericd@infosupport.com
| Quote: | Here is what i want to do. I want to establish a telnet connection
from a client to a server. The authentication mechanism that i want to
use for telnet connection is kerberos v5.
What I Have Done So Far:
I have setup two virtual machines (both windows 2003 server enterprise
edition) on VMWare. I have made one of them a server (a domain
controller) and other a client. On the server, i
have installed Active Directory. On the server i registered a new user
in active directory. Using this user i can log in to the domain from
clients machine. Now, from the clients machine, when i try to connect
to the server using the windows builtin telnet client, the login
attempt fails. The message that is displayed on the console is
"Failure
in initializing the telnet session. Shell process may not have been
launched.". In the server event viewer, there is an error saying
"Error
in creating CMD proces. System Error: Access is denied.". After
searching the internet, i found out a couple of proposed solutions for
the first error. One of them was for win xp 64 bit edition. Tried it
but no avail. The 2nd
one said to make sure that Secondary Logon service is running. Tried
that too but no affect at all. If i unset NTLM auth from the client
side then it simply asks me to enter user name and password. Obviously
this is not what i want. I want the user to be authenticated by means
of kerberos v5 protocol. So now i am wondering how can i make kerberos
v5 authentication to work with telnet. Any help would be highly
appreciated.
Thanks,
sarshah
|
|
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Thu Oct 27, 2005 12:51 pm Post subject:
Re: Kerberos V5 Authentication for a Telnet Session |
|
|
I think neither Windows telnet client nor Windows telnet server support
Kerberos authentication - with the built-ins, you're limited to NTLM
authentication (info and links in the KB -
http://support.microsoft.com/?id=299942). There are probably 3rd-party
products but if you're after secure remote console, I'd recommend using SSH
instead. But if you'll need Kerberos support in SSH, this gets complicated
yet again.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
<sarshah20@yahoo.com> wrote in message
news:1130408467.815243.177620@g49g2000cwa.googlegroups.com...
| Quote: | Here is what i want to do. I want to establish a telnet connection from
a client to a server. The authentication mechanism that i want to use
for telnet connection is kerberos v5.
What I Have Done So Far:
I have setup two virtual machines (both windows 2003 server enterprise
edition) on VMWare. I have made one of them a server (a domain
controller) and other a client. On the server, i
have installed Active Directory. On the server i registered a new user
in active directory. Using this user i can log in to the domain from
clients machine. Now, from the clients machine, when i try to connect
to the server using the windows builtin telnet client, the login
attempt fails. The message that is displayed on the console is "Failure
in initializing the telnet session. Shell process may not have been
launched.". In the server event viewer, there is an error saying "Error
in creating CMD proces. System Error: Access is denied.". After
searching the internet, i found out a couple of proposed solutions for
the first error. One of them was for win xp 64 bit edition. Tried it
but no avail. The 2nd
one said to make sure that Secondary Logon service is running. Tried
that too but no affect at all. If i unset NTLM auth from the client
side then it simply asks me to enter user name and password. Obviously
this is not what i want. I want the user to be authenticated by means
of kerberos v5 protocol. So now i am wondering how can i make kerberos
v5 authentication to work with telnet. Any help would be highly
appreciated.
Thanks,
sarshah
|
|
|
| Back to top |
|
|
Tim Sanderson
Guest
|
|
| Back to top |
|
|
Tim Sanderson
Guest
|
| Posted:
Thu Oct 27, 2005 4:51 pm Post subject:
Re: Kerberos V5 Authentication for a Telnet Session |
|
|
Save yourself the trouble and install OpenSSH for Windows, a telnet/FTP
alternative. I use it and have had no troubles. For a terminal client I use
PuTTY and for secure file transfer I use WinSCP.
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
http://winscp.net/eng/download.php
http://sshwindows.sourceforge.net/download/
<sarshah20@yahoo.com> wrote in message
news:1130408467.815243.177620@g49g2000cwa.googlegroups.com...
| Quote: | Here is what i want to do. I want to establish a telnet connection from
a client to a server. The authentication mechanism that i want to use
for telnet connection is kerberos v5.
What I Have Done So Far:
I have setup two virtual machines (both windows 2003 server enterprise
edition) on VMWare. I have made one of them a server (a domain
controller) and other a client. On the server, i
have installed Active Directory. On the server i registered a new user
in active directory. Using this user i can log in to the domain from
clients machine. Now, from the clients machine, when i try to connect
to the server using the windows builtin telnet client, the login
attempt fails. The message that is displayed on the console is "Failure
in initializing the telnet session. Shell process may not have been
launched.". In the server event viewer, there is an error saying "Error
in creating CMD proces. System Error: Access is denied.". After
searching the internet, i found out a couple of proposed solutions for
the first error. One of them was for win xp 64 bit edition. Tried it
but no avail. The 2nd
one said to make sure that Secondary Logon service is running. Tried
that too but no affect at all. If i unset NTLM auth from the client
side then it simply asks me to enter user name and password. Obviously
this is not what i want. I want the user to be authenticated by means
of kerberos v5 protocol. So now i am wondering how can i make kerberos
v5 authentication to work with telnet. Any help would be highly
appreciated.
Thanks,
sarshah
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Thu Oct 27, 2005 8:51 pm Post subject:
Re: Kerberos V5 Authentication for a Telnet Session |
|
|
Look into using ipsec. You could create an ipsec require policy on the
server for the telnet port and configure the client computer with a
client/respond policy. Then the two computers will have to authenticate via
kerberos [default authentication protocol but certificates can be used also]
and create the ipsec tunnel before the user ever gets a prompt for a
password. The user still have to use ntlm but the challenge response will go
through a very secure encrypted tunnel if that is your concern. Computers
that do not have a compliant ipsec policy would not be able to access that
port used for telnet. You can specify the IP addresses in the filter list
for the ipsec policy to block all IP for telnet and then another rule to
allow the specified IPs requiring ipsec EH for telnet. --- Steve
<sarshah20@yahoo.com> wrote in message
news:1130408467.815243.177620@g49g2000cwa.googlegroups.com...
| Quote: | Here is what i want to do. I want to establish a telnet connection from
a client to a server. The authentication mechanism that i want to use
for telnet connection is kerberos v5.
What I Have Done So Far:
I have setup two virtual machines (both windows 2003 server enterprise
edition) on VMWare. I have made one of them a server (a domain
controller) and other a client. On the server, i
have installed Active Directory. On the server i registered a new user
in active directory. Using this user i can log in to the domain from
clients machine. Now, from the clients machine, when i try to connect
to the server using the windows builtin telnet client, the login
attempt fails. The message that is displayed on the console is "Failure
in initializing the telnet session. Shell process may not have been
launched.". In the server event viewer, there is an error saying "Error
in creating CMD proces. System Error: Access is denied.". After
searching the internet, i found out a couple of proposed solutions for
the first error. One of them was for win xp 64 bit edition. Tried it
but no avail. The 2nd
one said to make sure that Secondary Logon service is running. Tried
that too but no affect at all. If i unset NTLM auth from the client
side then it simply asks me to enter user name and password. Obviously
this is not what i want. I want the user to be authenticated by means
of kerberos v5 protocol. So now i am wondering how can i make kerberos
v5 authentication to work with telnet. Any help would be highly
appreciated.
Thanks,
sarshah
|
|
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Fri Oct 28, 2005 12:51 pm Post subject:
Re: Kerberos V5 Authentication for a Telnet Session |
|
|
Tim,
I think transparent single sign-on may be a requirement, and that is
problematic with OpenSSH. I find SSH (both freeware and commercial versions)
support for Kerberos lacking and badly documented. Vintela provides and
alternative but their server product is a requirement. I agree with Steven's
suggestion to look into IPsec - and existing NTLM support will facilitate
SSO.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"Tim Sanderson" <trsandersonii@hotmail.com> wrote in message
news:OcVtgMw2FHA.3876@TK2MSFTNGP09.phx.gbl...
| Quote: | Save yourself the trouble and install OpenSSH for Windows, a telnet/FTP
alternative. |
|
|
| Back to top |
|
|
Sami J. Lehtinen
Guest
|
| Posted:
Fri Oct 28, 2005 12:51 pm Post subject:
Re: Kerberos V5 Authentication for a Telnet Session |
|
|
S. Pidgorny <MVP> wrote:
| Quote: | Tim,
I think transparent single sign-on may be a requirement, and that is
problematic with OpenSSH. I find SSH (both freeware and commercial versions)
support for Kerberos lacking and badly documented. Vintela provides and
alternative but their server product is a requirement. I agree with Steven's
suggestion to look into IPsec - and existing NTLM support will facilitate
SSO.
|
SSH Tectia solution works out-of-the-box with 4.x and 5.x series when
using Windows client against the Windows server product, providing SSO
with GSS-API authentication (SSPI).
--
sjl@ssh.com |
|
| Back to top |
|
|
Guest
|
| Posted:
Fri Oct 28, 2005 8:51 pm Post subject:
Re: Kerberos V5 Authentication for a Telnet Session |
|
|
Thanks everybody for the replys. The reason i want to use kerberos V5
authentication is because i want to study the telnet packects exchanged
between client and the server for this kind of authentication.
Therefore, using some other means of secure communication is not an
option here. I have tried setting up a 3rd party Kerberized client and
the server (cant recall the name right now) but they never did any
kerberized authentication. The telnet authentication option packect
captured showed that the auth type was not kerberos v5. So now the
question is what third party telnet client and server that i can use to
easily simulate telnet auth based on kerberos v5 (easily means where i
dont have to set a lot of options). Or if there is any other way i can
use to achieve my purpose (beside studying RFC)? Let me reiterate the
purpose. The purpose is to study the packects exchanged between telnet
client and server when they are authenticating using kerberos v5
authentication type.
Thanks,
sarshah |
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Mon Oct 31, 2005 9:51 am Post subject:
Re: Kerberos V5 Authentication for a Telnet Session |
|
|
I'd be interested in connecting to non-Windows SSH server using Kerberos
authentication as well. This is where things get complicated. I must admit
that my initial claim about commercial Windows SSH implementation is
partially misleading.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"Sami J. Lehtinen" <sjl@ssh.com> wrote in message
news:Of1ihd72FHA.1148@tk2msftngp13.phx.gbl...
| Quote: |
SSH Tectia solution works out-of-the-box with 4.x and 5.x series when
using Windows client against the Windows server product, providing SSO
with GSS-API authentication (SSPI).
--
sjl@ssh.com |
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in