科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道Telnet Authentication: Kerberos Version 5(1)

Telnet Authentication: Kerberos Version 5(1)

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

This document describes how Kerberos Version 5 [1] is used with the telnet protocol. It describes an telnet authentication suboption to be used with the telnet authentication option [2].

作者:论坛整理 来源:ZDNet网络安全 2007年12月25日

关键字: telnet命令 opentelnet linux telnet telnet入侵 telnet telnet端口

  • 评论
  • 分享微博
  • 分享邮件

  Network Working Group T. Ts'o

  Request for Comments: 2942 VA LinuxSystems

  Category: Standards Track September 2000

  TelnetAuthentication: Kerberos Version 5

  Status of this Memo

  This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

  Copyright Notice

  Copyright (C) The Internet Society (2000). All Rights Reserved.

  Abstract

  This document describes how Kerberos Version 5 [1] is used with the telnet protocol. It describes an telnet authentication suboption to be used with the telnet authentication option [2]. This mechanism can also used to provide keying material to provide data confidentiality services in conjunction with the telnet encryption option [3].

  1. Command Names and Codes

  Authentication Types

  KERBEROS_V5 2

  Sub-option Commands

  AUTH 0

  REJECT 1

  ACCEPT 2

  RESPONSE 3

  FORWARD 4

  FORWARD_ACCEPT 5

  FORWARD_REJECT 6

  2. Command Meanings

  IAC SB AUTHENTICATION IS AUTH

  KRB_AP_REQ message> IAC SE

  This is used to pass the Kerberos V5 [1] KRB_AP_REQ message to the remote side of the connection. The first octet of the value is KERBEROS_V5, to indicate that Version 5 of Kerberos is being used. The Kerberos V5 authenticator in the KRB_AP_REQ message must contain a Kerberos V5 checksum of the two-byte authentication type pair. This checksum must be verified by the server to assure that the authentication type pair was correctly negotiated. The Kerberos V5 authenticator must also include the optional subkey field, which shall be filled in with a randomly chosen key. This key shall be used for encryption purposes if encryption is negotiated, and shall be used as the negotiated session key (i.e., used as keyid 0) for the purposes of the telnet encryption option; if the subkey is not filled in, then the ticket session key will be used instead.

  If data confidentiality services is desired the ENCRYPT_US-ING_TELOPT flag must be set in the authentication-type-pair as specified in [2].

  IAC SB AUTHENTICATION REPLY ACCEPT IAC SE

  This command indicates that the authentication was successful.

  If the AUTH_HOW_MUTUAL bit is set in the second octet of the authentication-type-pair, the RESPONSE command must be sent before the ACCEPT command is sent.

  IAC SB AUTHENTICATION REPLY REJECT

  IAC SE

  This command indicates that the authentication was not successful, and if there is any more data in the sub-option, it is an ASCII text message of the reason for the rejection.

  IAC SB AUTHENTICATION REPLY RESPONSE

  IAC SE

  This command is used to perform mutual authentication. It is only used when the AUTH_HOW_MUTUAL bit is set in the second octet of the authentication-type-pair. After an AUTH command is verified, a RESPONSE command is sent which contains a Kerberos V5 KRB_AP_REP message to perform the mutual authentication.

  IAC SB AUTHENTICATION FORWARD

  message> IAC SE

  This command is used to forward kerberos credentials for use by the remote session. The credentials are passed as a Kerberos V5

  KRB_CRED message which includes, among other things, the forwarded Kerberos ticket and a session key associated with the ticket.

  Part of the KRB_CRED message is encrypted in the key previously exchanged for the telnet session by the AUTH suboption.

  IAC SB AUTHENTICATION FORWARD_ACCEPT IAC

  SE

  This command indicates that the credential forwarding was successful.

  IAC SB AUTHENTICATION FORWARD_REJECT

  IAC SE

  This command indicates that the credential forwarding was not successful, and if there is any more data in the suboption, it is an ASCII text message of the reason for the rejection.

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章