科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道Telnet Authentication: Kerberos Version 5(2)

Telnet Authentication: Kerberos Version 5(2)

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

This document describes how Kerberos Version 5 [1] is used with the telnet protocol. It describes an telnet authentication suboption to be used with the telnet authentication option [2].

作者:论坛整理 来源:ZDNet网络安全 2007年12月25日

关键字: telnet命令 opentelnet linux telnet telnet入侵 telnet telnet端口

  • 评论
  • 分享微博
  • 分享邮件

  3. Implementation Rules

  If the second octet of the authentication-type-pair has the AUTH_WHO bit set to AUTH_CLIENT_TO_SERVER, then the client sends the initial AUTH command, and the server responds with either ACCEPT or REJECT.

  In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, the server will send a RESPONSE before it sends the ACCEPT.

  If the second octet of the authentication-type-pair has the AUTH_WHO bit set to AUTH_SERVER_TO_CLIENT, then the server sends the initial AUTH command, and the client responds with either ACCEPT or REJECT.

  In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, the client will send a RESPONSE before it sends the ACCEPT.

  The Kerberos principal used by the server will generally be of the form "host/@realm". That is, the first component of the Kerberos principal is "host"; the second component is the fully qualified lower-case hostname of the server; and the realm is the Kerberos realm to which the server belongs.

  Any Telnet IAC characters that occur in the KRB_AP_REQ or KRB_AP_REP messages, the KRB_CRED structure, or the optional rejection text string must be doubled as specified in [4]. Otherwise the following byte might be mis-interpreted as a Telnet command.

  4. Examples

  User "joe" may wish to log in as user "pete" on machine "foo". If "pete" has set things up on "foo" to allow "joe" accessto his account, then the client would send IAC SB AUTHENTICATION NAME "pete"

  IAC SE IAC SB AUTHENTICATION IS KERBEROS_V5 AUTH

  IAC SE

  The server would then authenticate the user as "joe" from the KRB_AP_REQ_MESSAGE, and if the KRB_AP_REQ_MESSAGE was accepted by Kerberos, and if "pete" has allowed "joe" to use his account, the server would then continue the authentication sequence by sending a RESPONSE (to do mutual authentication, if it was requested) followed by the ACCEPT.

  If forwarding has been requested, the client then sends IAC SB AUTHENTICATION IS KERBEROS_V5 CLIENT|MUTUAL FORWARD  structure with credentials to be forwarded> IAC SE. If the server succeeds in reading the forwarded credentials, the server sends FORWARD_ACCEPT else, a FORWARD_REJECT is sent back.

  Client Server

  IAC DO AUTHENTICATION

  IAC WILL AUTHENTICATION

  [ The server is now free to request authentication information.]

  IAC SB AUTHENTICATION SEND

  KERBEROS_V5 CLIENT|MUTUAL

  KERBEROS_V5 CLIENT|ONE_WAY IAC

  SE

  [ The server has requested mutual Version 5 Kerberos authentication. If mutual authentication is not supported, then the server is willing to do one-way authentication. The client will now respond with the name of the user that it wants to log in as, and the Kerberos ticket. ]

  IAC SB AUTHENTICATION NAME

  "pete" IAC SE

  IAC SB AUTHENTICATION IS

  KERBEROS_V5 CLIENT|MUTUAL AUTH

  IAC SE

  [ Since mutual authentication is desired, the server sends across a RESPONSE to prove that it really is the right server. ]  

       IAC SB AUTHENTICATION REPLY

  KERBEROS_V5 CLIENT|MUTUAL

  RESPONSE

  IAC SE

  [ The server responds with an ACCEPT command to state that the authentication was successful. ]

  IAC SB AUTHENTICATION REPLY

  KERBEROS_V5 CLIENT|MUTUAL ACCEPT

  IAC SE

  [ If so requested, the client now sends the FORWARD command to forward credentials to the remote site. ]

  IAC SB AUTHENTICATION IS KER-

  BEROS_V5 CLIENT|MUTUAL

  FORWARD IAC

  SE

  [ The server responds with a FORWARD_ACCEPT command to state that the credential forwarding was successful. ]

  IAC SB AUTHENTICATION REPLY

  KERBEROS_V5 CLIENT|MUTUAL

  FORWARD_ACCEPT IAC SE

  5. Security Considerations

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章