rfc2941.txt

中、英文RFC文档大全打包下载完全版 .


RFC 2941              Telnet Authentication Option        September 2000


         INI_CRED_FWD_OFF

            The client will not be forwarding credentials to the server.
            This mode must be used if the selected authentication method
            does not support credentials forwarding.

         INI_CRED_FWD_ON

            Once authentication, and perhaps encryption, completes, the
            client will immediately forward authentication credentials
            to the server.

      The motivation for this advisory bit is that the server may wish
      to wait until the forwarded credentials have been sent before
      starting any operating system specific login procedures which may
      depend on these credentials.  Note that credentials forwarding may
      not be supported by all authentication mechanisms.  It is a
      protocol error to set this bit if the underlying authentication
      mechanism does not support credentials forwarding.

      Credentials forwarding MUST NOT be performed if
      AUTH_CLIENT_TO_SERVER|AUTH_HOW_ONE_WAY was used since the identity
      of the server can not be assured.  Credentials SHOULD NOT be
      forwarded if the telnet connection is not protected using some
      encryption or integrity protection services.

      Note that older implementations of the telnet authentication
      option will not understand the ENCRYPT_MASK and INI_CRED_FWD_MASK
      bits.  Hence an implementation wishing to offer these bits should
      offer authentication type pairs with these bits both set and not
      set if backwards compatibility is required.

3.  Default Specification

   The default specification for this option is

      WONT AUTHENTICATION DONT AUTHENTICATION

   meaning there will not be any exchange of authentication information.

4.  Motivation

   One of the deficiencies of the Telnet protocol is that in order to
   log into remote systems, users have to type their passwords, which
   are passed in clear text through the network.  If the connections go
   through untrusted networks, there is the possibility that passwords
   will be compromised by someone watching the packets while in transit.




Ts'o & Altman               Standards Track                     [Page 6]

RFC 2941              Telnet Authentication Option        September 2000


   The purpose of the AUTHENTICATION option is to provide a framework
   for the passing of authentication information through the TELNET
   session, and a mechanism to enable encryption of the data stream as a
   side effect of successful authentication or via subsequent use of the
   telnet ENCRYPT option.  This means that: 1) the users password will
   not be sent in clear text across the network, 2) if the front end
   telnet process has the appropriate authentication information, it can
   automatically send the information, and the user will not have to
   type any password.  3) once authentication has succeeded, the data
   stream can be encrypted to provide protection against active attacks.

   It is intended that the AUTHENTICATION option be general enough that
   it can be used to pass information for any authentication and
   encryption system.

5.  Security Implications

   The ability to negotiate a common authentication mechanism between
   client and server is a feature of the authentication option that
   should be used with caution.  When the negotiation is performed, no
   authentication has yet occurred.  Therefore each system has no way of
   knowing whether or not it is talking to the system it intends.  An
   intruder could attempt to negotiate the use of an authentication
   system which is either weak, or already compromised by the intruder.

   If the authentication type requires that encryption be enabled as a
   separate optional negotiation (the ENCRYPT option), it will provide a
   window of vulnerability from when the authentication completes, up to
   and including the negotiation to turn on encryption by an active
   attacker.  An active attack is one where the underlying TCP stream
   can be modified or taken over by the active attacker.  If the server
   only offers authentication type pairs that include the
   ENCRYPT_USING_TELOPT set in the ENCRYPT_MASK field, this will avoid
   the window of vulnerability, since both parties will agree that
   telnet ENCRYPT option must be successfully negotiated immediately
   following the successful completion of telnet AUTH.

   Other authentication types link the enabling of encryption as a side
   effect of successful authentication.  This will also provide
   protection against the active attacker.  The ENCRYPT_AFTER_EXCHANGE
   bit allows these authentication types to negotiate encryption so that
   it can be made optional.

   Another opportunity for active attacks is presented when encryption
   may be turned on and off without re-authentication.  Once encryption
   is disabled, an attacker may hijack the telnet stream, and interfere
   with attempts to restart encryption.  Therefore, a client SHOULD NOT




Ts'o & Altman               Standards Track                     [Page 7]

RFC 2941              Telnet Authentication Option        September 2000


   support the ability to turn off encryption.  Once encryption is
   disabled, if an attempt to re-enable encryption fails, the client
   MUST terminate the telnet connection.

   It is important that in both cases the authentication type pair be
   integrity protected at the end of the authentication exchange.  This
   must be specified for each authentication type to ensure that the
   result of the telnet authentication option negotiation is agreed to
   by both the client and the server.  Some authentication type
   suboptions may wish to include all of the telnet authentication
   negotiation exchanges in the integrity checksum, to fully protect the
   entire exchange.

   Each side MUST verify the consistency of the auth-type-pairs in each
   message received.  Any variation in the auth-type-pair MUST be
   treated as a fatal protocol error.

6.  Implementation Rules

   WILL and DO are used only at the beginning of the connection to
   obtain and grant permission for future negotiations.

   The authentication is only negotiated in one direction; the server
   must send the "DO", and the client must send the "WILL".  This
   restriction is due to the nature of authentication; there are three
   possible cases; server authenticates client, client authenticates
   server, and server and client authenticate each other.  By only
   negotiating the option in one direction, and then determining which
   of the three cases is being used via the suboption, potential
   ambiguity is removed.  If the server receives a "DO", it must respond
   with a "WONT".  If the client receives a "WILL", it must respond with
   a "DONT".

   Once the two hosts have exchanged a DO and a WILL, the server is free
   to request authentication information.  In the request, a list of
   supported authentication types is sent.  Only the server may send
   requests ("IAC SB AUTHENTICATION SEND authentication-type-pair-list
   IAC SE").  Only the client may transmit authentication information
   via the "IAC SB AUTHENTICATION IS authentication-type ... IAC SE"
   command.  Only the server may send replies ("IAC SB AUTHENTICATION
   REPLY authentication-type ... IAC SE").  As many IS and REPLY
   suboptions may be exchanged as are needed for the particular
   authentication scheme chosen.

   If the client does not support any of the authentication types listed
   in the authentication-type-pair-list, a type of NULL should be used
   to indicate this in the IS reply.  Note that if the client responds
   with a type of NULL, the server may choose to close the connection.



Ts'o & Altman               Standards Track                     [Page 8]

RFC 2941              Telnet Authentication Option        September 2000


   When the server has concluded that authentication cannot be
   negotiated with the client it should send IAC DONT AUTH to the
   client.

   The order of the authentication types MUST be ordered to indicate a
   preference for different authentication types, the first type being
   the most preferred, and the last type the least preferred.

   As long as the server is WILL AUTH it may request authentication
   information at any time.  This is done by sending a new list of
   supported authentication types.  Requesting authentication
   information may be done as a way of verifying the validity of the
   client's credentials after an extended period of time or to negotiate
   a new session key for use during encryption.

7.  User Interface

   Normally protocol specifications do not address user interface
   specifications.  However, due to the fact that the user will probably
   want to be able to configure the authentication and encryption and
   know whether or not the negotiations succeeded, some guidance needs
   to be given to implementors to provide some minimum level of user
   control.

   The user MUST be able to specify whether or not authentication is to
   be used, and whether or not encryption is to used if the
   authentication succeeds.  There SHOULD be at least four settings,
   REQUIRE, PROMPT, WARN and DISABLE.  Setting the authentication switch
   to REQUIRE means that if the authentication fails, then an
   appropriate error message must be displayed and the TELNET connection
   must be terminated.  Setting the authentication switch to PROMPT
   means that if the authentication fails, then an appropriate error
   message must be displayed and the user must be prompted for
   confirmation before continuing the TELNET session.  Setting the
   authentication switch to WARN means that if the authentication fails,
   then an appropriate error message must be displayed before continuing
   the TELNET session.  Setting the authentication switch to DISABLE
   means that authentication will not be attempted.  The encryption
   switch SHOULD have the same settings as the authentication switch;
   however its settings are only used when authentication succeeds.  The
   default setting for both switches should be WARN.  Both of these
   switches may be implemented as a single switch, though having them
   separate gives more control to the user.








Ts'o & Altman               Standards Track                     [Page 9]

RFC 2941              Telnet Authentication Option        September 2000


8.  Example

   The following is an example of use of the option:

   Client                           Server
                                    IAC DO AUTHENTICATION
   IAC WILL AUTHENTICATION
   [ The server is now free to request authentication information.
     ]
                                    IAC SB AUTHENTICATION SEND
                                    KERBEROS_V4 CLIENT|MUTUAL
                                    KERBEROS_V4 CLIENT|ONE_WAY IAC
                                    SE
   [ The server has requested mutual Kerberos authentication, but is
     willing to do just one-way Kerberos authentication.  The client
     will now respond with the name of the user that it wants to log
     in as, and the Kerberos ticket.  ]
   IAC SB AUTHENTICATION NAME "joe"
   IAC SE
   IAC SB AUTHENTICATION IS
   KERBEROS_V4 CLIENT|MUTUAL AUTH 4
   7 1 67 82 65 89 46 67 7 9 77 0
   48 24 49 244 109 240 50 208 43
   35 25 116 104 44 167 21 201 224
   229 145 20 2 244 213 220 33 134
   148 4 251 249 233 229 152 77 2
   109 130 231 33 146 190 248 1 9
   31 95 94 15 120 224 0 225 76 205
   70 136 245 190 199 147 155 13
   IAC SE
   [ The server responds with an ACCEPT command to state that the
     authentication was successful.  ]
                                    IAC SB AUTHENTICATION REPLY
                                    KERBEROS_V4 CLIENT|MUTUAL ACCEPT
                                    IAC SE
   [ Next, the client sends across a CHALLENGE to verify that it is
     really talking to the right server.  ]
   IAC SB AUTHENTICATION IS
   KERBEROS_V4 CLIENT|MUTUAL
   CHALLENGE xx xx xx xx xx xx xx
   xx IAC SE
   [ Lastly, the server sends across a RESPONSE to prove that it
     really is the right server.

                                      IAC SB AUTHENTICATION REPLY
                                      KERBEROS_V4 CLIENT|MUTUAL
                                      RESPONSE yy yy yy yy yy yy yy yy
                                      IAC SE



Ts'o & Altman               Standards Track                    [Page 10]

RFC 2941              Telnet Authentication Option        September 2000