[1474] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

Kerberos V5 Telnet compliance with RFC1416

daemon@ATHENA.MIT.EDU (John J. Marco)
Wed Jun 14 18:38:37 1995

From: "John J. Marco" <johnma@sco.COM>
To: krb5-bugs@MIT.EDU
Cc: johnma@sco.COM, jonco@sco.COM, dceivers@sco.COM
Date: Wed, 14 Jun 1995 15:35:12 -0700 (PDT)

Yet another question, 

Does the Kerberos V5 telnet program in the Krb5 Beta 5 release 
fully adhere to the specification of the telnet authentication
option defined in RFC 1416?  If not, then where can I obtain
documentation on the protocol being used?

Specifically, I would expect that an RFC 1416 complient telnet
and telnetd would communicate with each other as follows.

Kerberos user "kuser" on machine "client" logs into machine "server"
as remote user "ruser" (and is authorized)

 "<---" means "server sends to client"
 "--->" means "client sends to server"

Machine "client"		                 Machine "server"
-----------------------------------------------------------------------
        <--- IAC DO AUTHENTICATION               <-------

	---> IAC WILL AUTHENTICATION		 ------->

	<--- IAC SB AUTHENTICATION SEND          <-------
		KERBEROS_V5 CLIENT|MUTUAL
		KERBEROS_V5 CLIENT|ONE_WAY 

	<--- IAC SE                              <-------

	---> IAC SB AUTHENTICATION NAME "ruser"  ------->

	---> IAC SE                              ------->

	---> IAC SB AUTHENTICATION IS            ------->
		KERBEROS_V5 CLIENT|MUTUAL AUTH
		( authentication info for "kuser" )

	---> IAC SE                              ------->

	<--- IAC SB AUTHENTICATION REPLY         <-------
		KERBEROS_V5 CLIENT|MUTUAL ACCEPT 

	<--- IAC SE                              <-------

	---> IAC SB AUTHENTICATION IS            ------->
		KERBEROS_V5 CLIENT|MUTUAL
		CHALLENGE xx xx xx xx xx xx xx xx

	---> IAC SE                              ------->

	<--- IAC SB AUTHENTICATION REPLY         <-------
		KERBEROS_V5 CLIENT|MUTUAL 
		RESPONSE yy yy yy yy yy yy yy yy

	<--- IAC SE                              <-------
		

At this point, the server would be have the local account name (ruser),
the client's principal name (kuser), and could then do a krb5_kuserok()
to determine whether the user may log in as "ruser" without a password.

Unfortunately, several telnet programs I have looked at do not 
appear to follow the above convention.

Any information on this subject is greatly appreciated.

-----------------------------------------------------------------------
| John Marco                      |   The Santa Cruz Operation, Inc.  |
| Distributed Systems Engineering |   johnma@sco.COM  (408)427-7638   |
-----------------------------------------------------------------------
home help back first fref pref prev next nref lref last post