RFC 2942 (rfc2942) - Page 2 of 7
Telnet Authentication: Kerberos Version 5
Alternative Format: Original Text Document
RFC 2942 Telnet Authentication: Kerberos Version 5 September 2000
2. Command Meanings
IAC SB AUTHENTICATION IS AUTH IAC SE
This is used to pass the Kerberos V5 [1] KRB_AP_REQ message to the
remote side of the connection. The first octet of the
value is KERBEROS_V5, to indicate that
Version 5 of Kerberos is being used. The Kerberos V5
authenticator in the KRB_AP_REQ message must contain a Kerberos V5
checksum of the two-byte authentication type pair. This checksum
must be verified by the server to assure that the authentication
type pair was correctly negotiated. The Kerberos V5 authenticator
must also include the optional subkey field, which shall be filled
in with a randomly chosen key. This key shall be used for
encryption purposes if encryption is negotiated, and shall be used
as the negotiated session key (i.e., used as keyid 0) for the
purposes of the telnet encryption option; if the subkey is not
filled in, then the ticket session key will be used instead.
If data confidentiality services is desired the ENCRYPT_US-
ING_TELOPT flag must be set in the authentication-type-pair as
specified in [2].
IAC SB AUTHENTICATION REPLY ACCEPT IAC SE
This command indicates that the authentication was successful.
If the AUTH_HOW_MUTUAL bit is set in the second octet of the
authentication-type-pair, the RESPONSE command must be sent before
the ACCEPT command is sent.
IAC SB AUTHENTICATION REPLY REJECT
IAC SE
This command indicates that the authentication was not successful,
and if there is any more data in the sub-option, it is an ASCII
text message of the reason for the rejection.
IAC SB AUTHENTICATION REPLY RESPONSE
IAC SE
This command is used to perform mutual authentication. It is only
used when the AUTH_HOW_MUTUAL bit is set in the second octet of
the authentication-type-pair. After an AUTH command is verified,
a RESPONSE command is sent which contains a Kerberos V5 KRB_AP_REP
message to perform the mutual authentication.
Ts'o Standards Track