Telnet Authentication: Kerberos Version 5
RFC 2942

Document Type RFC - Proposed Standard (September 2000; No errata)
Was draft-tso-telnet-krb5 (individual)
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html
Stream Legacy state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2942 (Proposed Standard)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                            T. Ts'o
Request for Comments: 2942                              VA Linux Systems
Category: Standards Track                                 September 2000

               Telnet Authentication: Kerberos Version 5

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.


   This document describes how Kerberos Version 5 [1] is used with the
   telnet protocol.   It describes an telnet authentication suboption to
   be used with the telnet authentication option [2].   This mechanism
   can also used to provide keying material to provide data
   confidentiality services in conjunction with the telnet encryption
   option [3].

1. Command Names and Codes

      Authentication Types

         KERBEROS_V5    2

      Sub-option Commands

         AUTH               0
         REJECT             1
         ACCEPT             2
         RESPONSE           3
         FORWARD            4
         FORWARD_ACCEPT     5
         FORWARD_REJECT     6

Ts'o                        Standards Track                     [Page 1]
RFC 2942       Telnet Authentication: Kerberos Version 5  September 2000

2.  Command Meanings

   IAC SB AUTHENTICATION IS <authentication-type-pair> AUTH <Kerberos V5
   KRB_AP_REQ message> IAC SE

      This is used to pass the Kerberos V5 [1] KRB_AP_REQ message to the
      remote side of the connection.  The first octet of the
      <authentication-type-pair> value is KERBEROS_V5, to indicate that
      Version 5 of Kerberos is being used.  The Kerberos V5
      authenticator in the KRB_AP_REQ message must contain a Kerberos V5
      checksum of the two-byte authentication type pair.  This checksum
      must be verified by the server to assure that the authentication
      type pair was correctly negotiated.  The Kerberos V5 authenticator
      must also include the optional subkey field, which shall be filled
      in with a randomly chosen key.  This key shall be used for
      encryption purposes if encryption is negotiated, and shall be used
      as the negotiated session key (i.e., used as keyid 0) for the
      purposes of the telnet encryption option; if the subkey is not
      filled in, then the ticket session key will be used instead.

      If data confidentiality services is desired the ENCRYPT_US-
      ING_TELOPT flag must be set in the authentication-type-pair as
      specified in [2].

   IAC SB AUTHENTICATION REPLY <authentication-type-pair> ACCEPT IAC SE

      This command indicates that the authentication was successful.

      If the AUTH_HOW_MUTUAL bit is set in the second octet of the
      authentication-type-pair, the RESPONSE command must be sent before
      the ACCEPT command is sent.

   IAC SB AUTHENTICATION REPLY <authentication-type-pair> REJECT
      <optional reason for rejection> IAC SE

      This command indicates that the authentication was not successful,
      and if there is any more data in the sub-option, it is an ASCII
      text message of the reason for the rejection.

   IAC SB AUTHENTICATION REPLY <authentication-type-pair> RESPONSE
   <KRB_AP_REP message> IAC SE

      This command is used to perform mutual authentication.  It is only
      used when the AUTH_HOW_MUTUAL bit is set in the second octet of
      the authentication-type-pair.  After an AUTH command is verified,
      a RESPONSE command is sent which contains a Kerberos V5 KRB_AP_REP
      message to perform the mutual authentication.

Ts'o                        Standards Track                     [Page 2]
RFC 2942       Telnet Authentication: Kerberos Version 5  September 2000

   IAC SB AUTHENTICATION <authentication-type-pair> FORWARD <KRB_CRED
   message> IAC SE

      This command is used to forward kerberos credentials for use by
      the remote session.  The credentials are passed as a Kerberos V5
      KRB_CRED message which includes, among other things, the forwarded
      Kerberos ticket and a session key associated with the ticket.
      Part of the KRB_CRED message is encrypted in the key previously
      exchanged for the telnet session by the AUTH suboption.

   IAC SB AUTHENTICATION <authentication-type-pair> FORWARD_ACCEPT IAC

      This command indicates that the credential forwarding was
Show full document text