idnits 2.17.1 draft-ietf-telnet-authspx-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-19) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. ** Expected the document's filename to be given on the first page, but didn't find any == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an Introduction section. ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == Couldn't figure out when the document was first submitted -- there may comments or warnings related to the use of a disclaimer for pre-RFC5378 work that could not be issued because of this. Please check the Legal Provisions document at https://trustee.ietf.org/license-info to determine if you need the pre-RFC5378 disclaimer. -- The document date (July 1992) is 11601 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 11 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group Internet Engineering Task Force 3 Internet-Draft Telnet Working Group 4 Kannan Alagappan 5 Digital Equipment Corporation 6 July 1992 8 Telnet Authentication : SPX 10 Status of this Memo 12 This document is an Internet Draft. Internet Drafts are working 13 documents of the Internet Engineering Task Force (IETF), its Areas, 14 and its Working Groups. Note that other groups may also distribute 15 working documents as Internet Drafts. 17 Internet Drafts are draft documents valid for a maximum of six 18 months. Internet Drafts may be updated, replaced, or obsoleted by 19 other documents at any time. It is not appropriate to use Internet 20 Drafts as reference material or to cite them other than as a "working 21 draft" or "work in progress." 23 Please check the 1id-abstracts.txt listing contained in the 24 internet-drafts Shadow Directories on nic.ddn.mil, nnsc.nsf.net, 25 nic.nordu.net, ftp.nisc.sri.com, or munnari.oz.au to learn the 26 current status of any Internet Draft. 28 1. Command Names and Codes 30 Authentication Types 32 SPX 3 34 Suboption Commands 36 AUTH 0 37 REJECT 1 38 ACCEPT 2 40 2. Command Meanings 42 IAC SB AUTHENTICATION IS AUTH IAC SE 45 This is used to pass the SPX authentication token to the remote 46 side of the connection. (A document which describes the authenti- 47 cation token syntax is forthcoming.) The first octet of the 48 value is SPX. The second octet is a 49 modifier to the SPX authentication type. 51 IAC SB AUTHENTICATION REPLY ACCEPT IAC SE 54 This command indicates that the authentication was successful. 55 After an SPX authentication exchange, both sides have securely es- 56 tablished a random 8-byte key to be used as the default key for 57 the ENCRYPTION option. If the AUTH_HOW_MUTUAL bit is set in the 58 second octet of the authentication-type-pair, the sender includes 59 the mutual response bytes. The receiver of the ACCEPT command 60 compares the "mutual response" with its expected mutual response. 61 (A document which describes the mutual response syntax is forth- 62 coming.) If the AUTH_HOW_ONE_WAY bit is set in the second octet 63 of the authentication-type-pair, the sender includes zero bytes of 64 mutual response. 66 IAC SB AUTHENTICATION REPLY REJECT IAC SE 69 This command indicates that the authentication was not successful, 70 and if there is any more data in the sub-option, it is an ASCII 71 text message of the reason for the rejection. 73 3. Implementation Rules 75 Every command after the first AUTHENTICATION IS must carry the same 76 set of modifiers (e.g., CLIENT|MUTUAL) for subsequent AUTHENTICATION 77 IS and AUTHENTICATION REPLY commands. 79 If the second octet of the authentication-type-pair has the AUTH_WHO 80 bit set to AUTH_WHO_CLIENT, then the client sends the initial AUTH 81 command, and the server responds with either ACCEPT or REJECT. 83 If the second octet of the authentication-type-pair has the AUTH_WHO 84 bit set to AUTH_WHO_SERVER, then the server sends the initial AUTH 85 command, and the client responds with either ACCEPT or REJECT. 87 4. Examples 89 User "joe" may wish to log in as user "pete" on machine "foo". If 90 "pete" has set things up on "foo" to allow "joe" access to his ac- 91 count, then the client would send IAC SB AUTHENTICATION NAME "pete" 92 IAC SE IAC SB AUTHENTICATION IS SPX AUTH IAC SE. The server would then authenticate the user as "joe" 94 from the token information, and the server would send back either AC- 95 CEPT or REJECT. If mutual authentication is being used, the server 96 would include in the ACCEPT message, a mutual response. The authori- 97 zation check to see if "pete" is allowing "joe" to use his account is 98 made after the authentication exchange is complete. Therefore, it is 99 possible for the client to receive an ACCEPT response (based on the 100 authentication token), but for joe to be denied access to log in to 101 pete's account. 103 Client Server 104 IAC DO AUTHENTICATION 105 IAC WILL AUTHENTICATION 107 [ The server is now free to request authentication information. 108 ] 110 IAC SB AUTHENTICATION SEND SPX 111 CLIENT|MUTUAL SPX CLIENT|ONE_WAY 112 IAC SE 114 [ The server has requested mutual SPX authentication. If mutual 115 authentication is not supported, then the server is willing to 116 do one-way SPX authentication. ] 118 [ The client will now respond with the name of the user that it 119 wants to log in as, and the SPX authentication token. ] 121 IAC SB AUTHENTICATION NAME 122 "pete" IAC SE 123 IAC SB AUTHENTICATION IS SPX 124 CLIENT|MUTUAL AUTH IAC SE 128 [ The server responds with an ACCEPT command to state that the 129 authentication was successful. ] 131 [ If AUTH_HOW_MUTUAL, the server responds with the mutual 132 response so the client can verify that it is really talking to 133 the right server. ] 135 [ If AUTH_HOW_ONE_WAY, the server responds with a NULL mutual 136 response, since the client is willing to trust the server 137 already. ] 139 IAC SB AUTHENTICATION REPLY SPX 140 CLIENT|MUTUAL ACCEPT IAC SE 143 Author's Address 145 Kannan Alagappan 146 Digital Equipment Corporation 147 550 King Street, LKG1-2/A19 148 Littleton, MA 01460 150 Mailing List: telnet-ietf@CRAY.COM 151 EMail: kannan@sejour.lkg.dec.com 153 The working group can be contacted via the current chair: 155 Steve Alexander 156 INTERACTIVE Systems Corporation 157 1901 North Naper Boulevard 158 Naperville, IL 60563-8895 160 Phone: (708) 505-9100 x256 161 EMail: stevea@isc.com