cc/td/doc/product/software
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Encrypted Kerberized Telnet

Description

Platforms

Prerequisites

Configuration Tasks

Configuration Example

Command Reference

Encrypted Kerberized Telnet

Description

The Encrypted Kerberized Telnet feature enables a router to initiate or receive an encrypted Telnet session. Previously, all Telnet session traffic could only be transmitted as cleartext (readable) data.

You can use Encrypted Kerberized Telnet when establishing a Telnet session to or from a router. When you use this feature, first you are authenticated by your Kerberos credentials, and then an encrypted Telnet session is established.

Cisco's Encrypted Kerberized Telnet uses the following encryption standard: 56-bit Data Encryption Standard (DES) encryption with 64-bit Cipher Feedback (CFB).

This feature is available only if you have the 56-bit encryption image. 56-bit DES encryption is subject to U.S. government export control regulations.

Benefits

Encrypting your Telnet sessions reduces the risk of Telnet traffic being intercepted and read during transmission.

This is especially valuable for system administrators who use Telnet sessions to remotely administer routers. With normal Telnet sessions (non-encrypted Telnet sessions), an intruder could intercept and read the Telnet traffic. If this traffic contains a router's configuration information, the router's integrity then becomes compromised. Using encrypted Telnet sessions to administer a router helps to protect the router's integrity.

Cisco recommends that you use Encrypted Kerberized Telnet whenever you establish a Telnet session to a router or other Cisco device in order to administer that device.

List of Terms

cleartext data--Data that is readable if intercepted during transmission. Also called "plaintext" data.

encryption--A means of converting meaningful (cleartext) data into unreadable data. If data is encrypted (made unreadable) before it is transmitted, the data cannot be read if it is intercepted during transmission. When the data reaches its destination, it is restored to its original meaningful form (in a process called "decryption").

Platforms

This feature is supported on these platforms:

Prerequisites

To use this feature, you must have previously configured Kerberos for each router that you wish to Telnet into.

To learn more about configuring Kerberos and other security-related features, refer to the Cisco IOS Release 11.2 Security Configuration Guide.

Configuration Tasks

You can establish encrypted Telnet sessions to or from Cisco routers that have Kerberos configured.

Establish an Encrypted Telnet Session: Router to Remote Host

To establish an encrypted Telnet session from a router to a remote host, perform the following task in EXEC command mode:

Task Command
Establish an encrypted Telnet session. connect host [port] /encrypt kerberos

or

telnet host [port] /encrypt kerberos

If you use the telnet command or connect command to initiate a Telnet session from the router to a remote host, use the /encrypt kerberos keyword to specify an encrypted Telnet session. If you use the /encrypt kerberos keyword, the router and remote host will negotiate to authenticate you by using your Kerberos credentials. If this authentication is successful, the router and remote host will then negotiate whether or not to use encryption. If this negotiation is successful, both inbound and outbound traffic within the ensuing Telnet session will be encrypted using 46-bit DES encryption with 64-bit CFB.

If encryption is not successfully negotiated, the Telnet session will not be established, and you will receive a message stating that the encrypted Telnet session was not successfully established. You must attempt the Telnet session again, perhaps without encryption.

Establish an Encrypted Telnet Session: Remote Host to Router

If you are on a remote host and Telnet to a Cisco router which authenticates you by using Kerberos credentials, the host and router will attempt to negotiate whether or not to use encryption for the Telnet session. If this negotiation is successful, the router will encrypt all outbound data during the Telnet session.

If encryption is not successfully negotiated, the Telnet session will not be established, and you will receive a message stating that the encrypted Telnet session was not successfully established. You must attempt the Telnet session again, perhaps without encryption.

Please refer to the documentation for your remote Telnet host for information on how to enable bidirectional encryption from the remote host.

Configuration Example

The following example establishes an encrypted Telnet session from a router to a remote host named "host1":

Router> telnet host1 /encrypt kerberos

Command Reference

To support Encrypted Kerberized Telnet, the keyword /encrypt kerberos has been added to the connect and telnet commands. If the /encrypt kerberos keyword is specified when issuing either of these commands, the ensuing Telnet session will be encrypted.

This section includes complete descriptions of these commands.

connect

To log in to a host that supports Telnet, rlogin, or LAT, use the connect EXEC command.

connect host [port] [keyword]
Syntax Description
host A host name or an IP address.
port (Optional) A decimal TCP port number; the default is the Telnet router port (decimal 23) on the host.
keyword (Optional) One of the options listed in Table 1.

Table 1 describes the options that can be used for the argument keyword.


Table 1: Connection Options
Option Description
/debug Enables Telnet debugging mode.
/encrypt kerberos Enables an encrypted Telnet session. This keyword is available only if you have the Kerberized Telnet subsystem.
If you authenticate using Kerberos Credentials, the use of this keyword initiates an encryption negotiation with the remote server. If the encryption negotiation fails, the Telnet connection will be reset. If the encryption negotiation is successful, the Telnet connection will be established, and the Telnet session will continue in encrypted mode (all Telnet traffic for the session will be encrypted).
/line Enables Telnet line mode. In this mode, the Cisco IOS software sends no data to the host until you press Return. You can edit the line using the standard Cisco IOS software command editing characters. The /line keyword is a local switch; the remote router is not notified of the mode change.
/noecho
/route path Specifies loose source routing. The path argument is a list of host names or IP addresses that specify network nodes and ends with the final destination.
/source-interface
/stream Turns on stream processing, which enables a raw TCP stream with no Telnet control sequences. A stream connection does not process Telnet options and can be appropriate for connections to ports running UUCP and other non-Telnet protocols.
port-number Port number.
bgp Border Gateway Protocol.
chargen Character generator.
cmd rcmd Remote commands.
daytime Daytime.
discard Discard.
domain Domain Naming Service.
echo Echo.
exec EXEC.
finger Finger.
ftp File Transfer Protocol.
ftp-data FTP data connections (used infrequently).
gopher Gopher.
hostname Network Information Center (NIC) hostname server.
ident Ident Protocol.
irc Internet Relay Chat.
klogin Kerberos login.
kshell Kerberos shell.
login Login (rlogin).
lpd Printer service.
nntp Network News Transport Protocol.
node Connect to a specific LAT node.
pop2 Post Office Protocol v2.
pop3 Post Office Protocol v3.
port Destination LAT port name.
smtp Simple Mail Transport Protocol.
sunrpc Sun Remote Procedure Call.
syslog Syslog.
tacacs Specify TACACS security.
talk Talk.
telnet Telnet.
time Time.
uucp UNIX-to-UNIX Copy Program.
whois Nickname.
www World Wide Web (HTTP).
Command Mode

EXEC

Usage Guidelines

This command first appeared in a release prior to Cisco IOS Release 10.0.

With the Cisco IOS software implementation of TCP/IP, you are not required to enter the connect, telnet, lat, or rlogin commands to establish a terminal connection. You can just enter the learned host name--as long as the host name is different from a command word in the Cisco IOS software.

To display a list of the available hosts, enter the following command:

show hosts

To display the status of all TCP connections, enter the following command:

show tcp

The Cisco IOS software assigns a logical name to each connection, and several commands use these names to identify connections. The logical name is the same as the host name, unless that name is already in use, or you change the connection name with the EXEC command name-connection. If the name is already in use, the Cisco IOS software assigns a null name to the connection.

Examples

The following example establishes an encrypted Telnet session from a router to a remote host named host1:

Router> connect host1 /encrypt kerberos

The following example routes packets from the source system host1 to kl.sri.com, then to 10.1.0.11, and finally back to host1:

Router> connect host1 /route:kl.sri.com 10.1.0.11 host1
 

The following example connects to a host with logical name host1:

Router> host1
Related Commands

lat
telnet

telnet

To log in to a host that supports Telnet, use the telnet EXEC command.

telnet host [port] [keyword] 
Syntax Description
host A host name or an IP address.
port (Optional) A decimal TCP port number; the default is the Telnet router port (decimal 23) on the host.
keyword (Optional) One of the options listed in Table 2.

Table 2 describes the options that can be used for the argument keyword.


Table 2: Telnet Connection Options 
Option Description
/debug Enables Telnet debugging mode.
/encrypt kerberos Enables an encrypted Telnet session. This keyword is available only if you have the Kerberized Telnet subsystem.
If you authenticate using Kerberos Credentials, the use of this keyword initiates an encryption negotiation with the remote server. If the encryption negotiation fails, the Telnet connection will be reset. If the encryption negotiation is successful, the Telnet connection will be established, and the Telnet session will continue in encrypted mode (all Telnet traffic for the session will be encrypted).
/line Enables Telnet line mode. In this mode, the Cisco IOS software sends no data to the host until you press Return. You can edit the line using the standard Cisco IOS software command-editing characters. The /line keyword is a local switch; the remote router is not notified of the mode change.
/noecho
/route path Specifies loose source routing. The path argument is a list of host names or IP addresses that specify network nodes and ends with the final destination.
/source-interface
/stream Turns on stream processing, which enables a raw TCP stream with no Telnet control sequences. A stream connection does not process Telnet options and can be appropriate for connections to ports running UUCP and other non-Telnet protocols.
port-number Port number.
bgp Border Gateway Protocol.
chargen Character generator.
cmd rcmd Remote commands.
daytime Daytime.
discard Discard.
domain Domain Name Service.
echo Echo.
exec EXEC.
finger Finger.
ftp File Transfer Protocol.
ftp-data FTP data connections (used infrequently).
gopher Gopher.
hostname NIC hostname server.
ident Ident Protocol.
irc Internet Relay Chat
klogin Kerberos login.
kshell Kerberos shell.
login Login (rlogin).
lpd Printer service.
nntp Network News Transport Protocol.
node Connect to a specific LAT node.
pop2 Post Office Protocol v2.
pop3 Post Office Protocol v3.
port Destination LAT port name.
smtp Simple Mail Transport Protocol.
sunrpc Sun Remote Procedure Call.
syslog Syslog.
tacacs Specify TACACS security.
talk Talk.
telnet Telnet.
time Time.
uucp UNIX-to-UNIX Copy Program.
whois Nickname.
www World Wide Web (HTTP).
Command Mode

EXEC

Usage Guidelines

This command first appeared in a release prior to Cisco IOS Release 10.0.

With the Cisco IOS implementation of TCP/IP, you are not required to enter the connect or telnet commands to establish a Telnet connection. You can just enter the learned host name--as long as the following conditions are met:

To display a list of the available hosts, use the show hosts command. To display the status of all TCP connections, use the show tcp command.

The Cisco IOS software assigns a logical name to each connection, and several commands use these names to identify connections. The logical name is the same as the host name, unless that name is already in use, or you change the connection name with the name-connection EXEC command. If the name is already in use, the Cisco IOS software assigns a null name to the connection.

The Telnet software supports special Telnet commands in the form of Telnet sequences that map generic terminal control functions to operating system-specific functions. To issue a special Telnet command, enter the escape sequence and then a command character. The default escape sequence is Ctrl-^ (press and hold the Control and Shift keys and the 6 key). You can enter the command character as you hold down Ctrl or with Ctrl released; you can use either uppercase or lowercase letters. Table 3 lists the special Telnet escape sequences.


Table  3: Special Telnet Escape Sequences
Task Escape Sequence1
Break Ctrl-^ b
Interrupt Process (IP) Ctrl-^ c
Erase Character (EC) Ctrl-^ h
Abort Output (AO) Ctrl-^ o
Are You There? (AYT) Ctrl-^ t
Erase Line (EL) Ctrl-^ u

1 The caret (^) symbol refers to Shift-6 on your keyboard.

At any time during an active Telnet session, you can list the Telnet commands by pressing the escape sequence keys followed by a question mark at the system prompt:

Ctrl-^ ?

A sample of this list follows. In this sample output, the first caret (^) symbol represents the Control key, while the second caret represents Shift-6 on your keyboard:

Router> ^^?
[Special telnet escape help]
^^B  sends telnet BREAK
^^C  sends telnet IP
^^H  sends telnet EC
^^O  sends telnet AO
^^T  sends telnet AYT
^^U  sends telnet EL 

You can have several concurrent Telnet sessions open and switch back and forth between them. To open a subsequent session, first suspend the current connection by pressing the escape sequence (Ctrl-Shift-6 then x [Ctrl^x] by default) to return to the system command prompt. Then open a new connection with the telnet command.

To terminate an active Telnet session, issue any of the following commands at the prompt of the device to which you are connecting:

close
disconnect
exit
logout
quit
Examples

The following example establishes an encrypted Telnet session from a router to a remote host named host1:

Router> telnet host1 /encrypt kerberos

The following example routes packets from the source system host1 to kl.sri.com, then to 10.1.0.11, and finally back to host1:

Router> telnet host1 /route:kl.sri.com 10.1.0.11 host1
 

The following example connects to a host with logical name host1:

Router> host1
Related Commands

connect
rlogin


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1997 © Cisco Systems Inc.