Browse Prior Art Database

Telnet Authentication: Kerberos Version 5 (RFC2942)

IP.com Disclosure Number: IPCOM000005135D
Original Publication Date: 2000-Sep-01
Included in the Prior Art Database: 2001-Aug-16
Document File: 8 page(s) / 15K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

T. Ts'o: AUTHOR

Abstract

This document describes how Kerberos Version 5 [1] is used with the telnet protocol. It describes an telnet authentication suboption to be used with the telnet authentication option [2]. This mechanism can also used to provide keying material to provide data confidentiality services in conjunction with the telnet encryption option [3].

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 24% of the total text.

Network Working Group T. Ts'o Request for Comments: 2942 VA Linux Systems Category: Standards Track September 2000

Telnet Authentication: Kerberos Version 5

Status of this Memo

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2000). All Rights Reserved.

Abstract

This document describes how Kerberos Version 5 [1] is used with the telnet protocol. It describes an telnet authentication suboption to be used with the telnet authentication option [2]. This mechanism can also used to provide keying material to provide data confidentiality services in conjunction with the telnet encryption option [3].

1. Command Names and Codes

Authentication Types

KERBEROS_V5 2

Sub-option Commands

AUTH 0 REJECT 1 ACCEPT 2 RESPONSE 3 FORWARD 4 FORWARD_ACCEPT 5 FORWARD_REJECT 6

Ts'o Standards Track [Page 1]

RFC 2942 Telnet Authentication: Kerberos Version 5 September 2000

2. Command Meanings

IAC SB AUTHENTICATION IS AUTH IAC SE

This is used to pass the Kerberos V5 [1] KRB_AP_REQ message to the remote side of the connection. The first octet of the value is KERBEROS_V5, to indicate that Version 5 of Kerberos is being used. The Kerberos V5 authenticator in the KRB_AP_REQ message must contain a Kerberos V5 checksum of the two-byte authentication type pair. This checksum must be verified by the server to assure that the authentication type pair was correctly negotiated. The Kerberos V5 authenticator must also include the optional subkey field, which shall be filled in with a randomly chosen key. This key shall be used for encryption purposes if encryption is negotiated, and shall be used as the negotiated session key (i.e., used as keyid 0) for the purposes of the telnet encryption option; if the subkey is not filled in, then the ticket session key will be used instead.

If data confidentiality services is desired the ENCRYPT_US- ING_TELOPT flag must be set in the authentication-type-pair as specified in [2].

IAC SB AUTHENTICATION REPLY ACCEPT IAC SE

This command indicates that the authentication was successful.

If the AUTH_HOW_MUTUAL bit is set in the second octet of the authentication-type-pair, the RESPONSE command must be sent before the ACCEPT command is sent.

IAC SB AUTHENTICATION REPLY REJECT

IAC SE

This command indicates that the authentication was not successful, and if there is any more data in the sub-option, it is an ASCII text message of the reason for the rejection.

IAC SB AUTHENTICATION REPLY RESPONSE IAC SE

This command is used to perfor...