Telnet Authentication: Kerberos Version 5(1)

　　Network Working Group T. Ts'o

　　Request for Comments: 2942 VA LinuxSystems

　　Category: Standards Track September 2000

　　TelnetAuthentication: Kerberos Version 5

　　Status of this Memo

　　This document specifies an Internet standards track protocol for the　Internet community, and requests discussion and suggestions for　improvements. Please refer to the current edition of the "Internet　Official Protocol Standards" (STD 1) for the standardization state　and status of this protocol. Distribution of this memo is unlimited.

　　Copyright Notice

　　Copyright (C) The Internet Society (2000). All Rights Reserved.

　　Abstract

　　This document describes how Kerberos Version 5 [1] is used with the　telnet protocol. It describes an telnet authentication suboption to　be used with the telnet authentication option [2]. This mechanism　can also used to provide keying material to provide data　confidentiality services in conjunction with the telnet encryption　option [3].

　　1. Command Names and Codes

　　Authentication Types

　　KERBEROS_V5 2

　　Sub-option Commands

　　AUTH 0

　　REJECT 1

　　ACCEPT 2

　　RESPONSE 3

　　FORWARD 4

　　FORWARD_ACCEPT 5

　　FORWARD_REJECT 6

　　2. Command Meanings

　　IAC SB AUTHENTICATION IS AUTH

　　KRB_AP_REQ message> IAC SE

　　This is used to pass the Kerberos V5 [1] KRB_AP_REQ message to the　remote side of the connection. The first octet of the　value is KERBEROS_V5, to indicate that　Version 5 of Kerberos is being used. The Kerberos V5　authenticator in the KRB_AP_REQ message must contain a Kerberos V5　checksum of the two-byte authentication type pair. This checksum　must be verified by the server to assure that the authentication　type pair was correctly negotiated. The Kerberos V5 authenticator　must also include the optional subkey field, which shall be filled　in with a randomly chosen key. This key shall be used for　encryption purposes if encryption is negotiated, and shall be used　as the negotiated session key (i.e., used as keyid 0) for the　purposes of the telnet encryption option; if the subkey is not　filled in, then the ticket session key will be used instead.

　　If data confidentiality services is desired the ENCRYPT_US-ING_TELOPT flag must be set in the authentication-type-pair as　specified in [2].

　　IAC SB AUTHENTICATION REPLY ACCEPT IAC SE

　　This command indicates that the authentication was successful.

　　If the AUTH_HOW_MUTUAL bit is set in the second octet of the　authentication-type-pair, the RESPONSE command must be sent before　the ACCEPT command is sent.

　　IAC SB AUTHENTICATION REPLY REJECT

　　IAC SE

　　This command indicates that the authentication was not successful,　and if there is any more data in the sub-option, it is an ASCII　text message of the reason for the rejection.

　　IAC SB AUTHENTICATION REPLY RESPONSE

　　IAC SE

　　This command is used to perform mutual authentication. It is only　used when the AUTH_HOW_MUTUAL bit is set in the second octet of　the authentication-type-pair. After an AUTH command is verified,　a RESPONSE command is sent which contains a Kerberos V5 KRB_AP_REP　message to perform the mutual authentication.

　　IAC SB AUTHENTICATION FORWARD

　　message> IAC SE

　　This command is used to forward kerberos credentials for use by　the remote session. The credentials are passed as a Kerberos V5

　　KRB_CRED message which includes, among other things, the forwarded　Kerberos ticket and a session key associated with the ticket.

　　Part of the KRB_CRED message is encrypted in the key previously　exchanged for the telnet session by the AUTH suboption.

　　IAC SB AUTHENTICATION FORWARD_ACCEPT IAC

　　SE

　　This command indicates that the credential forwarding was　successful.

　　IAC SB AUTHENTICATION FORWARD_REJECT

　　IAC SE

　　This command indicates that the credential forwarding was not　successful, and if there is any more data in the suboption, it is　an ASCII text message of the reason for the rejection.