Network Working Group Internet Engineering Task Force Internet-Draft Telnet Working Group Kannan Alagappan Digital Equipment Corporation July 1992 Telnet Authentication : SPX Status of this Memo This document is an Internet Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months. Internet Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material or to cite them other than as a "working draft" or "work in progress." Please check the 1id-abstracts.txt listing contained in the internet-drafts Shadow Directories on nic.ddn.mil, nnsc.nsf.net, nic.nordu.net, ftp.nisc.sri.com, or munnari.oz.au to learn the current status of any Internet Draft. 1. Command Names and Codes Authentication Types SPX 3 Suboption Commands AUTH 0 REJECT 1 ACCEPT 2 2. Command Meanings IAC SB AUTHENTICATION IS AUTH IAC SE This is used to pass the SPX authentication token to the remote side of the connection. (A document which describes the authenti- cation token syntax is forthcoming.) The first octet of the Telnet Working Group Expires January 1993 [Page 1] Internet-Draft SPX for Telnet July 1992 value is SPX. The second octet is a modifier to the SPX authentication type. IAC SB AUTHENTICATION REPLY ACCEPT IAC SE This command indicates that the authentication was successful. After an SPX authentication exchange, both sides have securely es- tablished a random 8-byte key to be used as the default key for the ENCRYPTION option. If the AUTH_HOW_MUTUAL bit is set in the second octet of the authentication-type-pair, the sender includes the mutual response bytes. The receiver of the ACCEPT command compares the "mutual response" with its expected mutual response. (A document which describes the mutual response syntax is forth- coming.) If the AUTH_HOW_ONE_WAY bit is set in the second octet of the authentication-type-pair, the sender includes zero bytes of mutual response. IAC SB AUTHENTICATION REPLY REJECT IAC SE This command indicates that the authentication was not successful, and if there is any more data in the sub-option, it is an ASCII text message of the reason for the rejection. 3. Implementation Rules Every command after the first AUTHENTICATION IS must carry the same set of modifiers (e.g., CLIENT|MUTUAL) for subsequent AUTHENTICATION IS and AUTHENTICATION REPLY commands. If the second octet of the authentication-type-pair has the AUTH_WHO bit set to AUTH_WHO_CLIENT, then the client sends the initial AUTH command, and the server responds with either ACCEPT or REJECT. If the second octet of the authentication-type-pair has the AUTH_WHO bit set to AUTH_WHO_SERVER, then the server sends the initial AUTH command, and the client responds with either ACCEPT or REJECT. 4. Examples User "joe" may wish to log in as user "pete" on machine "foo". If "pete" has set things up on "foo" to allow "joe" access to his ac- count, then the client would send IAC SB AUTHENTICATION NAME "pete" IAC SE IAC SB AUTHENTICATION IS SPX AUTH IAC SE. The server would then authenticate the user as "joe" from the token information, and the server would send back either AC- CEPT or REJECT. If mutual authentication is being used, the server would include in the ACCEPT message, a mutual response. The authori- Telnet Working Group Expires January 1993 [Page 2] Internet-Draft SPX for Telnet July 1992 zation check to see if "pete" is allowing "joe" to use his account is made after the authentication exchange is complete. Therefore, it is possible for the client to receive an ACCEPT response (based on the authentication token), but for joe to be denied access to log in to pete's account. Client Server IAC DO AUTHENTICATION IAC WILL AUTHENTICATION [ The server is now free to request authentication information. ] IAC SB AUTHENTICATION SEND SPX CLIENT|MUTUAL SPX CLIENT|ONE_WAY IAC SE [ The server has requested mutual SPX authentication. If mutual authentication is not supported, then the server is willing to do one-way SPX authentication. ] [ The client will now respond with the name of the user that it wants to log in as, and the SPX authentication token. ] IAC SB AUTHENTICATION NAME "pete" IAC SE IAC SB AUTHENTICATION IS SPX CLIENT|MUTUAL AUTH IAC SE [ The server responds with an ACCEPT command to state that the authentication was successful. ] [ If AUTH_HOW_MUTUAL, the server responds with the mutual response so the client can verify that it is really talking to the right server. ] [ If AUTH_HOW_ONE_WAY, the server responds with a NULL mutual response, since the client is willing to trust the server already. ] IAC SB AUTHENTICATION REPLY SPX CLIENT|MUTUAL ACCEPT IAC SE Author's Address Kannan Alagappan Telnet Working Group Expires January 1993 [Page 3] Internet-Draft SPX for Telnet July 1992 Digital Equipment Corporation 550 King Street, LKG1-2/A19 Littleton, MA 01460 Mailing List: telnet-ietf@CRAY.COM EMail: kannan@sejour.lkg.dec.com The working group can be contacted via the current chair: Steve Alexander INTERACTIVE Systems Corporation 1901 North Naper Boulevard Naperville, IL 60563-8895 Phone: (708) 505-9100 x256 EMail: stevea@isc.com Telnet Working Group Expires January 1993 [Page 4]