[Docs] [txt|pdf] [Tracker] [WG] [Email] [Nits]

Versions: 00 RFC 1412

Network Working Group                    Internet Engineering Task Force
Internet-Draft                                      Telnet Working Group
                                                        Kannan Alagappan
                                           Digital Equipment Corporation
                                                               July 1992


                      Telnet Authentication : SPX

Status of this Memo

   This document is an Internet Draft.  Internet Drafts are working
   documents of the Internet Engineering Task Force (IETF), its Areas,
   and its Working Groups. Note that other groups may also distribute
   working documents as Internet Drafts.

   Internet Drafts are draft documents valid for a maximum of six
   months. Internet Drafts may be updated, replaced, or obsoleted by
   other documents at any time.  It is not appropriate to use Internet
   Drafts as reference material or to cite them other than as a "working
   draft" or "work in progress."

   Please check the 1id-abstracts.txt listing contained in the
   internet-drafts Shadow Directories on nic.ddn.mil, nnsc.nsf.net,
   nic.nordu.net, ftp.nisc.sri.com, or munnari.oz.au to learn the
   current status of any Internet Draft.

1. Command Names and Codes

   Authentication Types

      SPX          3

   Suboption Commands

      AUTH         0
      REJECT       1
      ACCEPT       2

2.  Command Meanings

   IAC SB AUTHENTICATION IS <authentication-type-pair> AUTH <SPX authen-
   tication token> IAC SE

      This is used to pass the SPX authentication token to the remote
      side of the connection.  (A document which describes the authenti-
      cation token syntax is forthcoming.)  The first octet of the



Telnet Working Group      Expires January 1993                  [Page 1]


Internet-Draft               SPX for Telnet                    July 1992


      <authentication-type-pair> value is SPX.  The second octet is a
      modifier to the SPX authentication type.

   IAC SB AUTHENTICATION REPLY <authentication-type-pair> ACCEPT <mutual
   response> IAC SE

      This command indicates that the authentication was successful.
      After an SPX authentication exchange, both sides have securely es-
      tablished a random 8-byte key to be used as the default key for
      the ENCRYPTION option.  If the AUTH_HOW_MUTUAL bit is set in the
      second octet of the authentication-type-pair, the sender includes
      the mutual response bytes.  The receiver of the ACCEPT command
      compares the "mutual response" with its expected mutual response.
      (A document which describes the mutual response syntax is forth-
      coming.)  If the AUTH_HOW_ONE_WAY bit is set in the second octet
      of the authentication-type-pair, the sender includes zero bytes of
      mutual response.

   IAC SB AUTHENTICATION REPLY <authentication-type-pair> REJECT <op-
   tional reason for rejection> IAC SE

      This command indicates that the authentication was not successful,
      and if there is any more data in the sub-option, it is an ASCII
      text message of the reason for the rejection.


3.  Implementation Rules

   Every command after the first AUTHENTICATION IS must carry the same
   set of modifiers (e.g., CLIENT|MUTUAL) for subsequent AUTHENTICATION
   IS and AUTHENTICATION REPLY commands.

   If the second octet of the authentication-type-pair has the AUTH_WHO
   bit set to AUTH_WHO_CLIENT, then the client sends the initial AUTH
   command, and the server responds with either ACCEPT or REJECT.

   If the second octet of the authentication-type-pair has the AUTH_WHO
   bit set to AUTH_WHO_SERVER, then the server sends the initial AUTH
   command, and the client responds with either ACCEPT or REJECT.

4.  Examples

   User "joe" may wish to log in as user "pete" on machine "foo".  If
   "pete" has set things up on "foo" to allow "joe" access to his ac-
   count, then the client would send IAC SB AUTHENTICATION NAME "pete"
   IAC SE IAC SB AUTHENTICATION IS SPX AUTH <joe's spx authentication
   token> IAC SE.  The server would then authenticate the user as "joe"
   from the token information, and the server would send back either AC-
   CEPT or REJECT.  If mutual authentication is being used, the server
   would include in the ACCEPT message, a mutual response.  The authori-



Telnet Working Group      Expires January 1993                  [Page 2]


Internet-Draft               SPX for Telnet                    July 1992


   zation check to see if "pete" is allowing "joe" to use his account is
   made after the authentication exchange is complete.  Therefore, it is
   possible for the client to receive an ACCEPT response (based on the
   authentication token), but for joe to be denied access to log in to
   pete's account.


       Client                           Server
                                        IAC DO AUTHENTICATION
       IAC WILL AUTHENTICATION

       [ The server is now free to request authentication information.
         ]

                                        IAC SB AUTHENTICATION SEND SPX
                                        CLIENT|MUTUAL SPX CLIENT|ONE_WAY
                                        IAC SE

       [ The server has requested mutual SPX authentication.  If mutual
         authentication is not supported, then the server is willing to
         do one-way SPX authentication.  ]

       [ The client will now respond with the name of the user that it
         wants to log in as, and the SPX authentication token.  ]

       IAC SB AUTHENTICATION NAME
       "pete" IAC SE
       IAC SB AUTHENTICATION IS SPX
       CLIENT|MUTUAL AUTH <spx
       authentication token
       information> IAC SE

       [ The server responds with an ACCEPT command to state that the
         authentication was successful.  ]

       [ If AUTH_HOW_MUTUAL, the server responds with the mutual
         response so the client can verify that it is really talking to
         the right server.  ]

       [ If AUTH_HOW_ONE_WAY, the server responds with a NULL mutual
         response, since the client is willing to trust the server
         already.  ]

                                        IAC SB AUTHENTICATION REPLY SPX
                                        CLIENT|MUTUAL ACCEPT <mutual
                                        response> IAC SE

Author's Address

   Kannan Alagappan



Telnet Working Group      Expires January 1993                  [Page 3]


Internet-Draft               SPX for Telnet                    July 1992


   Digital Equipment Corporation
   550 King Street, LKG1-2/A19
   Littleton, MA 01460

   Mailing List: telnet-ietf@CRAY.COM
   EMail: kannan@sejour.lkg.dec.com

   The working group can be contacted via the current chair:

   Steve Alexander
   INTERACTIVE Systems Corporation
   1901 North Naper Boulevard
   Naperville, IL 60563-8895

   Phone: (708) 505-9100 x256
   EMail: stevea@isc.com





































Telnet Working Group      Expires January 1993                  [Page 4]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/