Network Working Group Internet Engineering Task Force
Internet-Draft Telnet Working Group
D. Borman, Editor
Cray Research, Inc.
February 1992
This document is an Internet Draft. Internet Drafts are the working notes of the Internet Engineering Task Force, it Areas, and Working Groups. These are temporary notes valid for a maximum of six months; these notes may updated, replaced, or obsoleted by other documents at any time. It is not appropriate is use Internet Drafts as reference material or to cite them other than as 'working draft' or "work in progress'. Distribution of this memo is unlimited. Please send comments to the telnet-ietf@cray.com mailing list.
Authentication Types
KERBEROS_V5 2
Suboption Commands
AUTH 0
REJECT 1
ACCEPT 2
CHALLENGE 3
RESPONSE 4
IAC SB AUTHENTICATION <authentication-type-pair> AUTH <kerberos tick- et and authenticator> IAC SE
This is used to pass the Kerberos ticket to the remote side of the connection. The first octet of the <authentication-type-pair> value is KERBEROS_V5, to indicate that Version 5 of Kerberos is being used.
IAC SB AUTHENTICATION <authentication-type-pair> ACCEPT IAC SE
This command indicates that the authentication was successful.
IAC SB AUTHENTICATION <authentication-type-pair> REJECT <optional reason for rejection> IAC SE
This command indicates that the authentication was not successful, and if there is any more data in the sub-option, it is an ASCII text message of the reason for the rejection.
IAC SB AUTHENTICATION <authentication-type-pair> CHALLENGE <encrypted
challenge> IAC SE
IAC SB AUTHENTICATION <authentication-type-pair> RESPONSE <encrypted
response> IAC SE
These two commands are used to perform mutual authentication. They are only used when the AUTH_HOW_MUTUAL bit is set in the second octet of the authentication-type-pair. After successfully sending an AUTH and receiving an ACCEPT, a CHALLENGE is sent. The challenge is a random 8 byte number with the most significant byte first, and the least significant byte last. When the CHALLENGE command is sent, the "encrypted challenge" is the 8-byte-challenge encrypted in the session key. When the CHALLENGE command is re- ceived, the contents are decrypted to get the original 8-byte- challenge, this value is then incremented by one, re-encrypted with the session key, and returned as the "encrypted response" in the RESPONSE command. The receiver of the RESPONSE command de- crypts the "encrypted response", and verifies that the resultant value is the original 8-byte-challenge incremented by one.
The "encrypted challenge" value sent/received in the CHALLENGE command is also encrypted with the session key on both sides of the session, to produce a random 8-byte key to be used as the de- fault key for the ENCRYPTION option.
If the second octet of the authentication-type-pair has the AUTH_WHO bit set to AUTH_CLIENT_TO_SERVER, then the client sends the initial AUTH command, and the server responds with either ACCEPT or REJECT. In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, and the server responds with ACCEPT, then the client then sends a CHALLANGE, and the server sends a RESPONSE.
If the second octet of the authentication-type-pair has the AUTH_WHO bit set to AUTH_SERVER_TO_CLIENT, then the server sends the initial AUTH command, and the client responds with either ACCEPT or REJECT. In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, and the client responds with ACCEPT, then the server then sends a CHALLANGE, and the client sends a RESPONSE.
User "joe" may wish to log in as user "pete" on machine "foo". If "pete" has set things up on "foo" to allow "joe" access to his ac- count, then the client would send IAC SB AUTHENTICATION NAME "pete" IAC SE IAC SB AUTHENTICATION IS KERBEROS_V5 AUTH <joe's kerberos ticket> IAC SE The server would then authenticate the user as "joe" from the ticket information, and since "pete" is allowing "joe" to use his account, the server would send back ACCEPT. If mutual au- thentication is being used, the the client would send a CHALLENGE, and verify the RESPONSE that the server sends back.
Client Server
IAC DO AUTHENTICATION
IAC WILL AUTHENTICATION
[ The server is now free to request authentication information.
]
IAC SB AUTHENTICATION SEND
KERBEROS_V5 CLIENT|MUTUAL
KERBEROS_V5 CLIENT|ONE_WAY IAC
SE
[ The server has requested mutual Version 5 Kerberos authentica-
tion. If mutual authentication is not supported, then the
server is willing to do one-way authentication.
The client will now respond with the name of the user that it
wants to log in as, and the Kerberos ticket. ]
IAC SB AUTHENTICATION NAME
"pete" IAC SE
IAC SB AUTHENTICATION IS
KERBEROS_V5 CLIENT|MUTUAL AUTH
<kerberos ticket information>
IAC SE
[ The server responds with an ACCEPT command to state that the
authentication was successful. ]
IAC SB AUTHENTICATION REPLY
KERBEROS_V5 CLIENT|MUTUAL ACCEPT
IAC SE
[ Next, the client sends across a CHALLENGE to verify that it is
really talking to the right server. ]
IAC SB AUTHENTICATION IS
KERBEROS_V5 CLIENT|MUTUAL CHAL-
LENGE xx xx xx xx xx xx xx xx
IAC SE
[ Lastly, the server sends across a RESPONSE to prove that it
really is the right server.
IAC SB AUTHENTICATION REPLY
KERBEROS_V5 CLIENT|MUTUAL
RESPONSE yy yy yy yy yy yy yy yy
IAC SE
David A. Borman, Editor
Cray Research, Inc.
655F Lone Oak Drive
Eagan, MN 55123
Phone: (612) 452-6650
Mailing List: telnet-ietf@CRAY.COM
EMail: dab@CRAY.COM