RFC 1411 (rfc1411) - Page 2 of 4

Telnet Authentication: Kerberos Version 4

Alternative Format: Original Text Document
< Previous
Next >
RFC 1411             Kerberos Version 4 for Telnet          January 1993


   IAC SB AUTHENTICATION IS  CHALLENGE
    IAC SE
   IAC SB AUTHENTICATION REPLY  RESPONSE
    IAC SE

      These two commands are used to perform mutual authentication.
      They are only used when the AUTH_HOW_MUTUAL bit is set in the
      second octet of the authentication-type-pair.  After successfully
      sending an AUTH and receiving an ACCEPT, a CHALLENGE is sent.  The
      challenge is a random 8 byte number with the most significant byte
      first, and the least significant byte last.  When the CHALLENGE
      command is sent, the "encrypted challenge" is the 8-byte-challenge
      encrypted in the session key.  When the CHALLENGE command is
      received, the contents are decrypted to get the original 8-byte-
      challenge, this value is then incremented by one, re-encrypted
      with the session key, and returned as the "encrypted response" in
      the RESPONSE command.  The receiver of the RESPONSE command
      decrypts the "encrypted response", and verifies that the resultant
      value is the original 8-byte-challenge incremented by one.

      The "encrypted challenge" value sent/received in the CHALLENGE
      command is also encrypted with the session key on both sides of
      the session, to produce a random 8-byte key to be used as the
      default key for the ENCRYPTION option.

3.  Implementation Rules

   If the second octet of the authentication-type-pair has the AUTH_WHO
   bit set to AUTH_CLIENT_TO_SERVER, then the client sends the initial
   AUTH command, and the server responds with either ACCEPT or REJECT.
   In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, and the
   server responds with ACCEPT, then the client then sends a CHALLENGE,
   and the server sends a RESPONSE.

   If the second octet of the authentication-type-pair has the AUTH_WHO
   bit set to AUTH_SERVER_TO_CLIENT, then the server sends the initial
   AUTH command, and the client responds with either ACCEPT or REJECT.
   In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, and the
   client responds with ACCEPT, then the server then sends a CHALLENGE,
   and the client sends a RESPONSE.

   The authenticator (Kerberos Principal) used is of the form
   "rcmd.host@realm".

4.  Examples

   User "joe" may wish to log in as user "pete" on machine "foo".  If
   "pete" has set things up on "foo" to allow "joe" access to his



Telnet Working Group
< Previous
Next >