|
|
The Encrypted Kerberized Telnet feature enables a router to initiate or receive an encrypted Telnet session. Previously, all Telnet session traffic could only be transmitted as cleartext (readable) data.
You can use Encrypted Kerberized Telnet when establishing a Telnet session to or from a router. When you use this feature, first you are authenticated by your Kerberos credentials, and then an encrypted Telnet session is established.
Cisco's Encrypted Kerberized Telnet uses the following encryption standard: 56-bit Data Encryption Standard (DES) encryption with 64-bit Cipher Feedback (CFB).
This feature is available only if you have the 56-bit encryption image. 56-bit DES encryption is subject to U.S. government export control regulations.
Encrypting your Telnet sessions reduces the risk of Telnet traffic being intercepted and read during transmission.
This is especially valuable for system administrators who use Telnet sessions to remotely administer routers. With normal Telnet sessions (non-encrypted Telnet sessions), an intruder could intercept and read the Telnet traffic. If this traffic contains a router's configuration information, the router's integrity then becomes compromised. Using encrypted Telnet sessions to administer a router helps to protect the router's integrity.
Cisco recommends that you use Encrypted Kerberized Telnet whenever you establish a Telnet session to a router or other Cisco device in order to administer that device.
cleartext data--Data that is readable if intercepted during transmission. Also called "plaintext" data.
encryption--A means of converting meaningful (cleartext) data into unreadable data. If data is encrypted (made unreadable) before it is transmitted, the data cannot be read if it is intercepted during transmission. When the data reaches its destination, it is restored to its original meaningful form (in a process called "decryption").
This feature is supported on these platforms:
To use this feature, you must have previously configured Kerberos for each router that you wish to Telnet into.
To learn more about configuring Kerberos and other security-related features, refer to the Cisco IOS Release 11.2 Security Configuration Guide.
You can establish encrypted Telnet sessions to or from Cisco routers that have Kerberos configured.
To establish an encrypted Telnet session from a router to a remote host, perform the following task in EXEC command mode:
| Task | Command |
|---|---|
| Establish an encrypted Telnet session. | connect host [port] /encrypt kerberos
or telnet host [port] /encrypt kerberos |
If you use the telnet command or connect command to initiate a Telnet session from the router to a remote host, use the /encrypt kerberos keyword to specify an encrypted Telnet session. If you use the /encrypt kerberos keyword, the router and remote host will negotiate to authenticate you by using your Kerberos credentials. If this authentication is successful, the router and remote host will then negotiate whether or not to use encryption. If this negotiation is successful, both inbound and outbound traffic within the ensuing Telnet session will be encrypted using 46-bit DES encryption with 64-bit CFB.
If encryption is not successfully negotiated, the Telnet session will not be established, and you will receive a message stating that the encrypted Telnet session was not successfully established. You must attempt the Telnet session again, perhaps without encryption.
If you are on a remote host and Telnet to a Cisco router which authenticates you by using Kerberos credentials, the host and router will attempt to negotiate whether or not to use encryption for the Telnet session. If this negotiation is successful, the router will encrypt all outbound data during the Telnet session.
If encryption is not successfully negotiated, the Telnet session will not be established, and you will receive a message stating that the encrypted Telnet session was not successfully established. You must attempt the Telnet session again, perhaps without encryption.
Please refer to the documentation for your remote Telnet host for information on how to enable bidirectional encryption from the remote host.
The following example establishes an encrypted Telnet session from a router to a remote host named "host1":
Router>telnet host1 /encrypt kerberos
To support Encrypted Kerberized Telnet, the keyword /encrypt kerberos has been added to the connect and telnet commands. If the /encrypt kerberos keyword is specified when issuing either of these commands, the ensuing Telnet session will be encrypted.
This section includes complete descriptions of these commands.
To log in to a host that supports Telnet, rlogin, or LAT, use the connect EXEC command.
connect host [port] [keyword]| host | A host name or an IP address. |
| port | (Optional) A decimal TCP port number; the default is the Telnet router port (decimal 23) on the host. |
| keyword | (Optional) One of the options listed in Table 1. |
Table 1 describes the options that can be used for the argument keyword.
| Option | Description |
|---|---|
| /debug | Enables Telnet debugging mode. |
| /encrypt kerberos | Enables an encrypted Telnet session. This keyword is available only if you have the Kerberized Telnet subsystem. If you authenticate using Kerberos Credentials, the use of this keyword initiates an encryption negotiation with the remote server. If the encryption negotiation fails, the Telnet connection will be reset. If the encryption negotiation is successful, the Telnet connection will be established, and the Telnet session will continue in encrypted mode (all Telnet traffic for the session will be encrypted). |
| /line | Enables Telnet line mode. In this mode, the Cisco IOS software sends no data to the host until you press Return. You can edit the line using the standard Cisco IOS software command editing characters. The /line keyword is a local switch; the remote router is not notified of the mode change. |
| /noecho | |
| /route path | Specifies loose source routing. The path argument is a list of host names or IP addresses that specify network nodes and ends with the final destination. |
| /source-interface | |
| /stream | Turns on stream processing, which enables a raw TCP stream with no Telnet control sequences. A stream connection does not process Telnet options and can be appropriate for connections to ports running UUCP and other non-Telnet protocols. |
| port-number | Port number. |
| bgp | Border Gateway Protocol. |
| chargen | Character generator. |
| cmd rcmd | Remote commands. |
| daytime | Daytime. |
| discard | Discard. |
| domain | Domain Naming Service. |
| echo | Echo. |
| exec | EXEC. |
| finger | Finger. |
| ftp | File Transfer Protocol. |
| ftp-data | FTP data connections (used infrequently). |
| gopher | Gopher. |
| hostname | Network Information Center (NIC) hostname server. |
| ident | Ident Protocol. |
| irc | Internet Relay Chat. |
| klogin | Kerberos login. |
| kshell | Kerberos shell. |
| login | Login (rlogin). |
| lpd | Printer service. |
| nntp | Network News Transport Protocol. |
| node | Connect to a specific LAT node. |
| pop2 | Post Office Protocol v2. |
| pop3 | Post Office Protocol v3. |
| port | Destination LAT port name. |
| smtp | Simple Mail Transport Protocol. |
| sunrpc | Sun Remote Procedure Call. |
| syslog | Syslog. |
| tacacs | Specify TACACS security. |
| talk | Talk. |
| telnet | Telnet. |
| time | Time. |
| uucp | UNIX-to-UNIX Copy Program. |
| whois | Nickname. |
| www | World Wide Web (HTTP). |
EXEC
This command first appeared in a release prior to Cisco IOS Release 10.0.
With the Cisco IOS software implementation of TCP/IP, you are not required to enter the connect, telnet, lat, or rlogin commands to establish a terminal connection. You can just enter the learned host name--as long as the host name is different from a command word in the Cisco IOS software.
To display a list of the available hosts, enter the following command:
show hostsTo display the status of all TCP connections, enter the following command:
show tcpThe Cisco IOS software assigns a logical name to each connection, and several commands use these names to identify connections. The logical name is the same as the host name, unless that name is already in use, or you change the connection name with the EXEC command name-connection. If the name is already in use, the Cisco IOS software assigns a null name to the connection.
The following example establishes an encrypted Telnet session from a router to a remote host named host1:
Router>connect host1 /encrypt kerberos
The following example routes packets from the source system host1 to kl.sri.com, then to 10.1.0.11, and finally back to host1:
Router>connect host1 /route:kl.sri.com 10.1.0.11 host1
The following example connects to a host with logical name host1:
Router>host1
lat
telnet
To log in to a host that supports Telnet, use the telnet EXEC command.
telnet host [port] [keyword]
| host | A host name or an IP address. |
| port | (Optional) A decimal TCP port number; the default is the Telnet router port (decimal 23) on the host. |
| keyword | (Optional) One of the options listed in Table 2. |
Table 2 describes the options that can be used for the argument keyword.
| Option | Description |
|---|---|
| /debug | Enables Telnet debugging mode. |
| /encrypt kerberos | Enables an encrypted Telnet session. This keyword is available only if you have the Kerberized Telnet subsystem. If you authenticate using Kerberos Credentials, the use of this keyword initiates an encryption negotiation with the remote server. If the encryption negotiation fails, the Telnet connection will be reset. If the encryption negotiation is successful, the Telnet connection will be established, and the Telnet session will continue in encrypted mode (all Telnet traffic for the session will be encrypted). |
| /line | Enables Telnet line mode. In this mode, the Cisco IOS software sends no data to the host until you press Return. You can edit the line using the standard Cisco IOS software command-editing characters. The /line keyword is a local switch; the remote router is not notified of the mode change. |
| /noecho | |
| /route path | Specifies loose source routing. The path argument is a list of host names or IP addresses that specify network nodes and ends with the final destination. |
| /source-interface | |
| /stream | Turns on stream processing, which enables a raw TCP stream with no Telnet control sequences. A stream connection does not process Telnet options and can be appropriate for connections to ports running UUCP and other non-Telnet protocols. |
| port-number | Port number. |
| bgp | Border Gateway Protocol. |
| chargen | Character generator. |
| cmd rcmd | Remote commands. |
| daytime | Daytime. |
| discard | Discard. |
| domain | Domain Name Service. |
| echo | Echo. |
| exec | EXEC. |
| finger | Finger. |
| ftp | File Transfer Protocol. |
| ftp-data | FTP data connections (used infrequently). |
| gopher | Gopher. |
| hostname | NIC hostname server. |
| ident | Ident Protocol. |
| irc | Internet Relay Chat |
| klogin | Kerberos login. |
| kshell | Kerberos shell. |
| login | Login (rlogin). |
| lpd | Printer service. |
| nntp | Network News Transport Protocol. |
| node | Connect to a specific LAT node. |
| pop2 | Post Office Protocol v2. |
| pop3 | Post Office Protocol v3. |
| port | Destination LAT port name. |
| smtp | Simple Mail Transport Protocol. |
| sunrpc | Sun Remote Procedure Call. |
| syslog | Syslog. |
| tacacs | Specify TACACS security. |
| talk | Talk. |
| telnet | Telnet. |
| time | Time. |
| uucp | UNIX-to-UNIX Copy Program. |
| whois | Nickname. |
| www | World Wide Web (HTTP). |
EXEC
This command first appeared in a release prior to Cisco IOS Release 10.0.
With the Cisco IOS implementation of TCP/IP, you are not required to enter the connect or telnet commands to establish a Telnet connection. You can just enter the learned host name--as long as the following conditions are met:
To display a list of the available hosts, use the show hosts command. To display the status of all TCP connections, use the show tcp command.
The Cisco IOS software assigns a logical name to each connection, and several commands use these names to identify connections. The logical name is the same as the host name, unless that name is already in use, or you change the connection name with the name-connection EXEC command. If the name is already in use, the Cisco IOS software assigns a null name to the connection.
The Telnet software supports special Telnet commands in the form of Telnet sequences that map generic terminal control functions to operating system-specific functions. To issue a special Telnet command, enter the escape sequence and then a command character. The default escape sequence is Ctrl-^ (press and hold the Control and Shift keys and the 6 key). You can enter the command character as you hold down Ctrl or with Ctrl released; you can use either uppercase or lowercase letters. Table 3 lists the special Telnet escape sequences.
| Task | Escape Sequence1 |
|---|---|
| Break | Ctrl-^ b |
| Interrupt Process (IP) | Ctrl-^ c |
| Erase Character (EC) | Ctrl-^ h |
| Abort Output (AO) | Ctrl-^ o |
| Are You There? (AYT) | Ctrl-^ t |
| Erase Line (EL) | Ctrl-^ u |
At any time during an active Telnet session, you can list the Telnet commands by pressing the escape sequence keys followed by a question mark at the system prompt:
Ctrl-^ ?A sample of this list follows. In this sample output, the first caret (^) symbol represents the Control key, while the second caret represents Shift-6 on your keyboard:
Router> ^^?
[Special telnet escape help]
^^B sends telnet BREAK
^^C sends telnet IP
^^H sends telnet EC
^^O sends telnet AO
^^T sends telnet AYT
^^U sends telnet EL
You can have several concurrent Telnet sessions open and switch back and forth between them. To open a subsequent session, first suspend the current connection by pressing the escape sequence (Ctrl-Shift-6 then x [Ctrl^x] by default) to return to the system command prompt. Then open a new connection with the telnet command.
To terminate an active Telnet session, issue any of the following commands at the prompt of the device to which you are connecting:
closeThe following example establishes an encrypted Telnet session from a router to a remote host named host1:
Router>telnet host1 /encrypt kerberos
The following example routes packets from the source system host1 to kl.sri.com, then to 10.1.0.11, and finally back to host1:
Router>telnet host1 /route:kl.sri.com 10.1.0.11 host1
The following example connects to a host with logical name host1:
Router>host1
connect
rlogin
|
|