Telnet Authentication: Kerberos Version 5(2)

　　3. Implementation Rules

　　If the second octet of the authentication-type-pair has the AUTH_WHO　bit set to AUTH_CLIENT_TO_SERVER, then the client sends the initial　AUTH command, and the server responds with either ACCEPT or REJECT.

　　In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, the　server will send a RESPONSE before it sends the ACCEPT.

　　If the second octet of the authentication-type-pair has the AUTH_WHO　bit set to AUTH_SERVER_TO_CLIENT, then the server sends the initial　AUTH command, and the client responds with either ACCEPT or REJECT.

　　In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, the　client will send a RESPONSE before it sends the ACCEPT.

　　The Kerberos principal used by the server will generally be of the　form "host/@realm". That is, the first component of the　Kerberos principal is "host"; the second component is the fully　qualified lower-case hostname of the server; and the realm is the　Kerberos realm to which the server belongs.

　　Any Telnet IAC characters that occur in the KRB_AP_REQ or KRB_AP_REP　messages, the KRB_CRED structure, or the optional rejection text　string must be doubled as specified in [4]. Otherwise the following　byte might be mis-interpreted as a Telnet command.

　　4. Examples

　　User "joe" may wish to log in as user "pete" on machine "foo". If　"pete" has set things up on "foo" to allow "joe" accessto his　account, then the client would send IAC SB AUTHENTICATION NAME "pete"

　　IAC SE IAC SB AUTHENTICATION IS KERBEROS_V5 AUTH

　　IAC SE

　　The server would then authenticate the user as "joe" from the　KRB_AP_REQ_MESSAGE, and if the KRB_AP_REQ_MESSAGE was accepted by　Kerberos, and if "pete" has allowed "joe" to use his account, the　server would then continue the authentication sequence by sending a　RESPONSE (to do mutual authentication, if it was requested) followed　by the ACCEPT.

　　If forwarding has been requested, the client then sends IAC SB　AUTHENTICATION IS KERBEROS_V5 CLIENT|MUTUAL FORWARD 　structure with credentials to be forwarded> IAC SE. If the server　succeeds in reading the forwarded credentials, the server sends　FORWARD_ACCEPT else, a FORWARD_REJECT is sent back.

　　Client Server

　　IAC DO AUTHENTICATION

　　IAC WILL AUTHENTICATION

　　[ The server is now free to request authentication information.]

　　IAC SB AUTHENTICATION SEND

　　KERBEROS_V5 CLIENT|MUTUAL

　　KERBEROS_V5 CLIENT|ONE_WAY IAC

　　SE

　　[ The server has requested mutual Version 5 Kerberos　authentication. If mutual authentication is not supported,　then the server is willing to do one-way authentication.　The client will now respond with the name of the user that it　wants to log in as, and the Kerberos ticket. ]

　　IAC SB AUTHENTICATION NAME

　　"pete" IAC SE

　　IAC SB AUTHENTICATION IS

　　KERBEROS_V5 CLIENT|MUTUAL AUTH

　　IAC SE

　　[ Since mutual authentication is desired, the server sends across　a RESPONSE to prove that it really is the right server. ]　　

       IAC SB AUTHENTICATION REPLY

　　KERBEROS_V5 CLIENT|MUTUAL

　　RESPONSE

　　IAC SE

　　[ The server responds with an ACCEPT command to state that the　authentication was successful. ]

　　IAC SB AUTHENTICATION REPLY

　　KERBEROS_V5 CLIENT|MUTUAL ACCEPT

　　IAC SE

　　[ If so requested, the client now sends the FORWARD command to　forward credentials to the remote site. ]

　　IAC SB AUTHENTICATION IS KER-

　　BEROS_V5 CLIENT|MUTUAL

　　FORWARD IAC

　　SE

　　[ The server responds with a FORWARD_ACCEPT command to state that　the credential forwarding was successful. ]

　　IAC SB AUTHENTICATION REPLY

　　KERBEROS_V5 CLIENT|MUTUAL

　　FORWARD_ACCEPT IAC SE

　　5. Security Considerations