📄 rfc2941.txt
字号:
RFC 2941 Telnet Authentication Option September 2000
INI_CRED_FWD_OFF
The client will not be forwarding credentials to the server.
This mode must be used if the selected authentication method
does not support credentials forwarding.
INI_CRED_FWD_ON
Once authentication, and perhaps encryption, completes, the
client will immediately forward authentication credentials
to the server.
The motivation for this advisory bit is that the server may wish
to wait until the forwarded credentials have been sent before
starting any operating system specific login procedures which may
depend on these credentials. Note that credentials forwarding may
not be supported by all authentication mechanisms. It is a
protocol error to set this bit if the underlying authentication
mechanism does not support credentials forwarding.
Credentials forwarding MUST NOT be performed if
AUTH_CLIENT_TO_SERVER|AUTH_HOW_ONE_WAY was used since the identity
of the server can not be assured. Credentials SHOULD NOT be
forwarded if the telnet connection is not protected using some
encryption or integrity protection services.
Note that older implementations of the telnet authentication
option will not understand the ENCRYPT_MASK and INI_CRED_FWD_MASK
bits. Hence an implementation wishing to offer these bits should
offer authentication type pairs with these bits both set and not
set if backwards compatibility is required.
3. Default Specification
The default specification for this option is
WONT AUTHENTICATION DONT AUTHENTICATION
meaning there will not be any exchange of authentication information.
4. Motivation
One of the deficiencies of the Telnet protocol is that in order to
log into remote systems, users have to type their passwords, which
are passed in clear text through the network. If the connections go
through untrusted networks, there is the possibility that passwords
will be compromised by someone watching the packets while in transit.
Ts'o & Altman Standards Track [Page 6]
RFC 2941 Telnet Authentication Option September 2000
The purpose of the AUTHENTICATION option is to provide a framework
for the passing of authentication information through the TELNET
session, and a mechanism to enable encryption of the data stream as a
side effect of successful authentication or via subsequent use of the
telnet ENCRYPT option. This means that: 1) the users password will
not be sent in clear text across the network, 2) if the front end
telnet process has the appropriate authentication information, it can
automatically send the information, and the user will not have to
type any password. 3) once authentication has succeeded, the data
stream can be encrypted to provide protection against active attacks.
It is intended that the AUTHENTICATION option be general enough that
it can be used to pass information for any authentication and
encryption system.
5. Security Implications
The ability to negotiate a common authentication mechanism between
client and server is a feature of the authentication option that
should be used with caution. When the negotiation is performed, no
authentication has yet occurred. Therefore each system has no way of
knowing whether or not it is talking to the system it intends. An
intruder could attempt to negotiate the use of an authentication
system which is either weak, or already compromised by the intruder.
If the authentication type requires that encryption be enabled as a
separate optional negotiation (the ENCRYPT option), it will provide a
window of vulnerability from when the authentication completes, up to
and including the negotiation to turn on encryption by an active
attacker. An active attack is one where the underlying TCP stream
can be modified or taken over by the active attacker. If the server
only offers authentication type pairs that include the
ENCRYPT_USING_TELOPT set in the ENCRYPT_MASK field, this will avoid
the window of vulnerability, since both parties will agree that
telnet ENCRYPT option must be successfully negotiated immediately
following the successful completion of telnet AUTH.
Other authentication types link the enabling of encryption as a side
effect of successful authentication. This will also provide
protection against the active attacker. The ENCRYPT_AFTER_EXCHANGE
bit allows these authentication types to negotiate encryption so that
it can be made optional.
Another opportunity for active attacks is presented when encryption
may be turned on and off without re-authentication. Once encryption
is disabled, an attacker may hijack the telnet stream, and interfere
with attempts to restart encryption. Therefore, a client SHOULD NOT
Ts'o & Altman Standards Track [Page 7]
RFC 2941 Telnet Authentication Option September 2000
support the ability to turn off encryption. Once encryption is
disabled, if an attempt to re-enable encryption fails, the client
MUST terminate the telnet connection.
It is important that in both cases the authentication type pair be
integrity protected at the end of the authentication exchange. This
must be specified for each authentication type to ensure that the
result of the telnet authentication option negotiation is agreed to
by both the client and the server. Some authentication type
suboptions may wish to include all of the telnet authentication
negotiation exchanges in the integrity checksum, to fully protect the
entire exchange.
Each side MUST verify the consistency of the auth-type-pairs in each
message received. Any variation in the auth-type-pair MUST be
treated as a fatal protocol error.
6. Implementation Rules
WILL and DO are used only at the beginning of the connection to
obtain and grant permission for future negotiations.
The authentication is only negotiated in one direction; the server
must send the "DO", and the client must send the "WILL". This
restriction is due to the nature of authentication; there are three
possible cases; server authenticates client, client authenticates
server, and server and client authenticate each other. By only
negotiating the option in one direction, and then determining which
of the three cases is being used via the suboption, potential
ambiguity is removed. If the server receives a "DO", it must respond
with a "WONT". If the client receives a "WILL", it must respond with
a "DONT".
Once the two hosts have exchanged a DO and a WILL, the server is free
to request authentication information. In the request, a list of
supported authentication types is sent. Only the server may send
requests ("IAC SB AUTHENTICATION SEND authentication-type-pair-list
IAC SE"). Only the client may transmit authentication information
via the "IAC SB AUTHENTICATION IS authentication-type ... IAC SE"
command. Only the server may send replies ("IAC SB AUTHENTICATION
REPLY authentication-type ... IAC SE"). As many IS and REPLY
suboptions may be exchanged as are needed for the particular
authentication scheme chosen.
If the client does not support any of the authentication types listed
in the authentication-type-pair-list, a type of NULL should be used
to indicate this in the IS reply. Note that if the client responds
with a type of NULL, the server may choose to close the connection.
Ts'o & Altman Standards Track [Page 8]
RFC 2941 Telnet Authentication Option September 2000
When the server has concluded that authentication cannot be
negotiated with the client it should send IAC DONT AUTH to the
client.
The order of the authentication types MUST be ordered to indicate a
preference for different authentication types, the first type being
the most preferred, and the last type the least preferred.
As long as the server is WILL AUTH it may request authentication
information at any time. This is done by sending a new list of
supported authentication types. Requesting authentication
information may be done as a way of verifying the validity of the
client's credentials after an extended period of time or to negotiate
a new session key for use during encryption.
7. User Interface
Normally protocol specifications do not address user interface
specifications. However, due to the fact that the user will probably
want to be able to configure the authentication and encryption and
know whether or not the negotiations succeeded, some guidance needs
to be given to implementors to provide some minimum level of user
control.
The user MUST be able to specify whether or not authentication is to
be used, and whether or not encryption is to used if the
authentication succeeds. There SHOULD be at least four settings,
REQUIRE, PROMPT, WARN and DISABLE. Setting the authentication switch
to REQUIRE means that if the authentication fails, then an
appropriate error message must be displayed and the TELNET connection
must be terminated. Setting the authentication switch to PROMPT
means that if the authentication fails, then an appropriate error
message must be displayed and the user must be prompted for
confirmation before continuing the TELNET session. Setting the
authentication switch to WARN means that if the authentication fails,
then an appropriate error message must be displayed before continuing
the TELNET session. Setting the authentication switch to DISABLE
means that authentication will not be attempted. The encryption
switch SHOULD have the same settings as the authentication switch;
however its settings are only used when authentication succeeds. The
default setting for both switches should be WARN. Both of these
switches may be implemented as a single switch, though having them
separate gives more control to the user.
Ts'o & Altman Standards Track [Page 9]
RFC 2941 Telnet Authentication Option September 2000
8. Example
The following is an example of use of the option:
Client Server
IAC DO AUTHENTICATION
IAC WILL AUTHENTICATION
[ The server is now free to request authentication information.
]
IAC SB AUTHENTICATION SEND
KERBEROS_V4 CLIENT|MUTUAL
KERBEROS_V4 CLIENT|ONE_WAY IAC
SE
[ The server has requested mutual Kerberos authentication, but is
willing to do just one-way Kerberos authentication. The client
will now respond with the name of the user that it wants to log
in as, and the Kerberos ticket. ]
IAC SB AUTHENTICATION NAME "joe"
IAC SE
IAC SB AUTHENTICATION IS
KERBEROS_V4 CLIENT|MUTUAL AUTH 4
7 1 67 82 65 89 46 67 7 9 77 0
48 24 49 244 109 240 50 208 43
35 25 116 104 44 167 21 201 224
229 145 20 2 244 213 220 33 134
148 4 251 249 233 229 152 77 2
109 130 231 33 146 190 248 1 9
31 95 94 15 120 224 0 225 76 205
70 136 245 190 199 147 155 13
IAC SE
[ The server responds with an ACCEPT command to state that the
authentication was successful. ]
IAC SB AUTHENTICATION REPLY
KERBEROS_V4 CLIENT|MUTUAL ACCEPT
IAC SE
[ Next, the client sends across a CHALLENGE to verify that it is
really talking to the right server. ]
IAC SB AUTHENTICATION IS
KERBEROS_V4 CLIENT|MUTUAL
CHALLENGE xx xx xx xx xx xx xx
xx IAC SE
[ Lastly, the server sends across a RESPONSE to prove that it
really is the right server.
IAC SB AUTHENTICATION REPLY
KERBEROS_V4 CLIENT|MUTUAL
RESPONSE yy yy yy yy yy yy yy yy
IAC SE
Ts'o & Altman Standards Track [Page 10]
RFC 2941 Telnet Authentication Option September 2000
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -