summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc1411.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc1411.txt')
-rw-r--r--doc/rfc/rfc1411.txt227
1 files changed, 227 insertions, 0 deletions
diff --git a/doc/rfc/rfc1411.txt b/doc/rfc/rfc1411.txt
new file mode 100644
index 0000000..bc0869a
--- /dev/null
+++ b/doc/rfc/rfc1411.txt
@@ -0,0 +1,227 @@
+
+
+
+
+
+
+Network Working Group D. Borman, Editor
+Request for Comments: 1411 Cray Research, Inc.
+ January 1993
+
+
+ Telnet Authentication: Kerberos Version 4
+
+Status of this Memo
+
+ This memo defines an Experimental Protocol for the Internet
+ community. Discussion and suggestions for improvement are requested.
+ Please refer to the current edition of the "IAB Official Protocol
+ Standards" for the standardization state and status of this protocol.
+ Distribution of this memo is unlimited.
+
+1. Command Names and Codes
+
+ Authentication Types
+
+ KERBEROS_V4 1
+
+ Suboption Commands
+
+ AUTH 0
+ REJECT 1
+ ACCEPT 2
+ CHALLENGE 3
+ RESPONSE 4
+
+2. Command Meanings
+
+ IAC SB AUTHENTICATION IS <authentication-type-pair> AUTH <kerberos
+ ticket and authenticator> IAC SE
+
+ This is used to pass the Kerberos ticket to the remote side of the
+ connection. The first octet of the <authentication-type-pair>
+ value is KERBEROS_V4, to indicate the usage of Kerberos version 4.
+
+ IAC SB AUTHENTICATION REPLY <authentication-type-pair> ACCEPT IAC SE
+
+ This command indicates that the authentication was successful.
+
+ IAC SB AUTHENTICATION REPLY <authentication-type-pair> REJECT
+ <optional reason for rejection> IAC SE
+
+ This command indicates that the authentication was not successful,
+ and if there is any more data in the sub-option, it is an ASCII
+ text message of the reason for the rejection.
+
+
+
+Telnet Working Group [Page 1]
+
+RFC 1411 Kerberos Version 4 for Telnet January 1993
+
+
+ IAC SB AUTHENTICATION IS <authentication-type-pair> CHALLENGE
+ <encrypted challenge> IAC SE
+ IAC SB AUTHENTICATION REPLY <authentication-type-pair> RESPONSE
+ <encrypted response> IAC SE
+
+ These two commands are used to perform mutual authentication.
+ They are only used when the AUTH_HOW_MUTUAL bit is set in the
+ second octet of the authentication-type-pair. After successfully
+ sending an AUTH and receiving an ACCEPT, a CHALLENGE is sent. The
+ challenge is a random 8 byte number with the most significant byte
+ first, and the least significant byte last. When the CHALLENGE
+ command is sent, the "encrypted challenge" is the 8-byte-challenge
+ encrypted in the session key. When the CHALLENGE command is
+ received, the contents are decrypted to get the original 8-byte-
+ challenge, this value is then incremented by one, re-encrypted
+ with the session key, and returned as the "encrypted response" in
+ the RESPONSE command. The receiver of the RESPONSE command
+ decrypts the "encrypted response", and verifies that the resultant
+ value is the original 8-byte-challenge incremented by one.
+
+ The "encrypted challenge" value sent/received in the CHALLENGE
+ command is also encrypted with the session key on both sides of
+ the session, to produce a random 8-byte key to be used as the
+ default key for the ENCRYPTION option.
+
+3. Implementation Rules
+
+ If the second octet of the authentication-type-pair has the AUTH_WHO
+ bit set to AUTH_CLIENT_TO_SERVER, then the client sends the initial
+ AUTH command, and the server responds with either ACCEPT or REJECT.
+ In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, and the
+ server responds with ACCEPT, then the client then sends a CHALLENGE,
+ and the server sends a RESPONSE.
+
+ If the second octet of the authentication-type-pair has the AUTH_WHO
+ bit set to AUTH_SERVER_TO_CLIENT, then the server sends the initial
+ AUTH command, and the client responds with either ACCEPT or REJECT.
+ In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, and the
+ client responds with ACCEPT, then the server then sends a CHALLENGE,
+ and the client sends a RESPONSE.
+
+ The authenticator (Kerberos Principal) used is of the form
+ "rcmd.host@realm".
+
+4. Examples
+
+ User "joe" may wish to log in as user "pete" on machine "foo". If
+ "pete" has set things up on "foo" to allow "joe" access to his
+
+
+
+Telnet Working Group [Page 2]
+
+RFC 1411 Kerberos Version 4 for Telnet January 1993
+
+
+ account, then the client would send IAC SB AUTHENTICATION NAME "pete"
+ IAC SE IAC SB AUTHENTICATION IS KERBEROS_V4 AUTH <joe's kerberos
+ ticket> IAC SE The server would then authenticate the user as "joe"
+ from the ticket information, and since "pete" is allowing "joe" to
+ use his account, the server would send back ACCEPT. If mutual
+ authentication is being used, the the client would send a CHALLENGE,
+ and verify the RESPONSE that the server sends back.
+
+ Client Server
+ IAC DO AUTHENTICATION
+ IAC WILL AUTHENTICATION
+ [ The server is now free to request authentication information.
+ ]
+ IAC SB AUTHENTICATION SEND
+ KERBEROS_V4 CLIENT|MUTUAL
+ KERBEROS_V4 CLIENT|ONE_WAY IAC
+ SE
+ [ The server has requested mutual Version 4 Kerberos
+ authentication. If mutual authentication is not supported,
+ then the server is willing to do one-way authentication.
+
+ The client will now respond with the name of the user that it
+ wants to log in as, and the Kerberos ticket. ]
+ IAC SB AUTHENTICATION NAME
+ "pete" IAC SE
+ IAC SB AUTHENTICATION IS
+ KERBEROS_V4 CLIENT|MUTUAL AUTH
+ <kerberos ticket information>
+ IAC SE
+ [ The server responds with an ACCEPT command to state that the
+ authentication was successful. ]
+ IAC SB AUTHENTICATION REPLY
+ KERBEROS_V4 CLIENT|MUTUAL ACCEPT
+ IAC SE
+ [ Next, the client sends across a CHALLENGE to verify that it is
+ really talking to the right server. ]
+ IAC SB AUTHENTICATION IS
+ KERBEROS_V4 CLIENT|MUTUAL
+ CHALLENGE xx xx xx xx xx xx xx
+ xx IAC SE
+ [ Lastly, the server sends across a RESPONSE to prove that it
+ really is the right server.
+ IAC SB AUTHENTICATION REPLY
+ KERBEROS_V4 CLIENT|MUTUAL
+ RESPONSE yy yy yy yy yy yy yy yy
+ IAC SE
+
+
+
+
+
+Telnet Working Group [Page 3]
+
+RFC 1411 Kerberos Version 4 for Telnet January 1993
+
+
+Security Considerations
+
+ The ability to negotiate a common authentication mechanism between
+ client and server is a feature of the authentication option that
+ should be used with caution. When the negotiation is performed, no
+ authentication has yet occurred. Therefore, each system has no way
+ of knowing whether or not it is talking to the system it intends. An
+ intruder could attempt to negotiate the use of an authentication
+ system which is either weak, or already compromised by the intruder.
+
+Author's Address
+
+ David A. Borman, Editor
+ Cray Research, Inc.
+ 655F Lone Oak Drive
+ Eagan, MN 55123
+
+ Phone: (612) 452-6650
+ EMail: dab@CRAY.COM
+
+ Mailing List: telnet-ietf@CRAY.COM
+
+Chair's Address
+
+ The working group can be contacted via the current chair:
+
+ Steve Alexander
+ INTERACTIVE Systems Corporation
+ 1901 North Naper Boulevard
+ Naperville, IL 60563-8895
+
+ Phone: (708) 505-9100 x256
+ EMail: stevea@isc.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Telnet Working Group [Page 4]
+ \ No newline at end of file