RFC 2942 (rfc2942) - Page 2 of 7


Telnet Authentication: Kerberos Version 5



Alternative Format: Original Text Document



RFC 2942       Telnet Authentication: Kerberos Version 5  September 2000


2.  Command Meanings

   IAC SB AUTHENTICATION IS  AUTH  IAC SE

      This is used to pass the Kerberos V5 [1] KRB_AP_REQ message to the
      remote side of the connection.  The first octet of the
       value is KERBEROS_V5, to indicate that
      Version 5 of Kerberos is being used.  The Kerberos V5
      authenticator in the KRB_AP_REQ message must contain a Kerberos V5
      checksum of the two-byte authentication type pair.  This checksum
      must be verified by the server to assure that the authentication
      type pair was correctly negotiated.  The Kerberos V5 authenticator
      must also include the optional subkey field, which shall be filled
      in with a randomly chosen key.  This key shall be used for
      encryption purposes if encryption is negotiated, and shall be used
      as the negotiated session key (i.e., used as keyid 0) for the
      purposes of the telnet encryption option; if the subkey is not
      filled in, then the ticket session key will be used instead.

      If data confidentiality services is desired the ENCRYPT_US-
      ING_TELOPT flag must be set in the authentication-type-pair as
      specified in [2].

   IAC SB AUTHENTICATION REPLY  ACCEPT IAC SE

      This command indicates that the authentication was successful.

      If the AUTH_HOW_MUTUAL bit is set in the second octet of the
      authentication-type-pair, the RESPONSE command must be sent before
      the ACCEPT command is sent.

   IAC SB AUTHENTICATION REPLY  REJECT
       IAC SE

      This command indicates that the authentication was not successful,
      and if there is any more data in the sub-option, it is an ASCII
      text message of the reason for the rejection.

   IAC SB AUTHENTICATION REPLY  RESPONSE
    IAC SE

      This command is used to perform mutual authentication.  It is only
      used when the AUTH_HOW_MUTUAL bit is set in the second octet of
      the authentication-type-pair.  After an AUTH command is verified,
      a RESPONSE command is sent which contains a Kerberos V5 KRB_AP_REP
      message to perform the mutual authentication.




Ts'o                        Standards Track