分享
 
 
 

RFC1411 - Telnet Authentication: Kerberos Version 4

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

Network Working Group D. Borman, Editor

Request for Comments: 1411 Cray Research, Inc.

January 1993

Telnet Authentication: Kerberos Version 4

Status of this Memo

This memo defines an EXPerimental Protocol for the Internet

community. Discussion and suggestions for improvement are requested.

Please refer to the current edition of the "IAB Official Protocol

Standards" for the standardization state and status of this protocol.

Distribution of this memo is unlimited.

1. Command Names and Codes

Authentication Types

KERBEROS_V4 1

Suboption Commands

AUTH 0

REJECT 1

ACCEPT 2

CHALLENGE 3

RESPONSE 4

2. Command Meanings

IAC SB AUTHENTICATION IS <authentication-type-pair> AUTH <kerberos

ticket and authenticator> IAC SE

This is used to pass the Kerberos ticket to the remote side of the

connection. The first octet of the <authentication-type-pair>

value is KERBEROS_V4, to indicate the usage of Kerberos version 4.

IAC SB AUTHENTICATION REPLY <authentication-type-pair> ACCEPT IAC SE

This command indicates that the authentication was sUCcessful.

IAC SB AUTHENTICATION REPLY <authentication-type-pair> REJECT

<optional reason for rejection> IAC SE

This command indicates that the authentication was not successful,

and if there is any more data in the sub-option, it is an ASCII

text message of the reason for the rejection.

IAC SB AUTHENTICATION IS <authentication-type-pair> CHALLENGE

<encrypted challenge> IAC SE

IAC SB AUTHENTICATION REPLY <authentication-type-pair> RESPONSE

<encrypted response> IAC SE

These two commands are used to perform mutual authentication.

They are only used when the AUTH_HOW_MUTUAL bit is set in the

second octet of the authentication-type-pair. After successfully

sending an AUTH and receiving an ACCEPT, a CHALLENGE is sent. The

challenge is a random 8 byte number with the most significant byte

first, and the least significant byte last. When the CHALLENGE

command is sent, the "encrypted challenge" is the 8-byte-challenge

encrypted in the session key. When the CHALLENGE command is

received, the contents are decrypted to get the original 8-byte-

challenge, this value is then incremented by one, re-encrypted

with the session key, and returned as the "encrypted response" in

the RESPONSE command. The receiver of the RESPONSE command

decrypts the "encrypted response", and verifies that the resultant

value is the original 8-byte-challenge incremented by one.

The "encrypted challenge" value sent/received in the CHALLENGE

command is also encrypted with the session key on both sides of

the session, to produce a random 8-byte key to be used as the

default key for the ENCRYPTION option.

3. Implementation Rules

If the second octet of the authentication-type-pair has the AUTH_WHO

bit set to AUTH_CLIENT_TO_SERVER, then the client sends the initial

AUTH command, and the server responds with either ACCEPT or REJECT.

In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, and the

server responds with ACCEPT, then the client then sends a CHALLENGE,

and the server sends a RESPONSE.

If the second octet of the authentication-type-pair has the AUTH_WHO

bit set to AUTH_SERVER_TO_CLIENT, then the server sends the initial

AUTH command, and the client responds with either ACCEPT or REJECT.

In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, and the

client responds with ACCEPT, then the server then sends a CHALLENGE,

and the client sends a RESPONSE.

The authenticator (Kerberos Principal) used is of the form

"rcmd.host@realm".

4. Examples

User "joe" may wish to log in as user "pete" on machine "foo". If

"pete" has set things up on "foo" to allow "joe" Access to his

account, then the client would send IAC SB AUTHENTICATION NAME "pete"

IAC SE IAC SB AUTHENTICATION IS KERBEROS_V4 AUTH <joe's kerberos

ticket> IAC SE The server would then authenticate the user as "joe"

from the ticket information, and since "pete" is allowing "joe" to

use his account, the server would send back ACCEPT. If mutual

authentication is being used, the the client would send a CHALLENGE,

and verify the RESPONSE that the server sends back.

Client Server

IAC DO AUTHENTICATION

IAC WILL AUTHENTICATION

[ The server is now free to request authentication information.

]

IAC SB AUTHENTICATION SEND

KERBEROS_V4 CLIENTMUTUAL

KERBEROS_V4 CLIENTONE_WAY IAC

SE

[ The server has requested mutual Version 4 Kerberos

authentication. If mutual authentication is not supported,

then the server is willing to do one-way authentication.

The client will now respond with the name of the user that it

wants to log in as, and the Kerberos ticket. ]

IAC SB AUTHENTICATION NAME

"pete" IAC SE

IAC SB AUTHENTICATION IS

KERBEROS_V4 CLIENTMUTUAL AUTH

<kerberos ticket information>

IAC SE

[ The server responds with an ACCEPT command to state that the

authentication was successful. ]

IAC SB AUTHENTICATION REPLY

KERBEROS_V4 CLIENTMUTUAL ACCEPT

IAC SE

[ Next, the client sends across a CHALLENGE to verify that it is

really talking to the right server. ]

IAC SB AUTHENTICATION IS

KERBEROS_V4 CLIENTMUTUAL

CHALLENGE xx xx xx xx xx xx xx

xx IAC SE

[ Lastly, the server sends across a RESPONSE to prove that it

really is the right server.

IAC SB AUTHENTICATION REPLY

KERBEROS_V4 CLIENTMUTUAL

RESPONSE yy yy yy yy yy yy yy yy

IAC SE

Security Considerations

The ability to negotiate a common authentication mechanism between

client and server is a feature of the authentication option that

should be used with caution. When the negotiation is performed, no

authentication has yet occurred. Therefore, each system has no way

of knowing whether or not it is talking to the system it intends. An

intruder could attempt to negotiate the use of an authentication

system which is either weak, or already compromised by the intruder.

Author's Address

David A. Borman, Editor

Cray Research, Inc.

655F Lone Oak Drive

Eagan, MN 55123

Phone: (612) 452-6650

EMail: dab@CRAY.COM

Mailing List: telnet-ietf@CRAY.COM

Chair's Address

The working group can be contacted via the current chair:

Steve Alexander

INTERACTIVE Systems Corporation

1901 North Naper Boulevard

Naperville, IL 60563-8895

Phone: (708) 505-9100 x256

EMail: stevea@isc.com

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有