IETF Logo Mail Archive

Telnet Authentication: Simple-Strong Authentication

Steven Schoch <schoch@sheba.arc.nasa.gov> Thu, 11 August 1994 16:35 UTC

Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa07530; 11 Aug 94 12:35 EDT
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa07526; 11 Aug 94 12:35 EDT
Received: from timbuk.cray.com by CNRI.Reston.VA.US id aa06396; 11 Aug 94 12:35 EDT
Received: from sdiv.cray.com (daemon@ironwood.cray.com [128.162.21.36]) by timbuk.cray.com (8.6.9/8.6.9j) with SMTP id LAA06316; Thu, 11 Aug 1994 11:22:12 -0500
Received: by sdiv.cray.com (5.0/CRI-5.15.b.orgabbr Sdiv) id AA03481; Thu, 11 Aug 1994 11:21:28 +0600
Received: from timbuk.cray.com by sdiv.cray.com (5.0/CRI-5.15.b.orgabbr Sdiv) id AA03476; Thu, 11 Aug 1994 11:21:26 +0600
Received: from sheba.arc.nasa.gov (sheba.arc.nasa.gov [128.102.128.57]) by timbuk.cray.com (8.6.9/8.6.9j) with ESMTP id LAA06270 for <telnet-ietf@cray.com>; Thu, 11 Aug 1994 11:21:25 -0500
Received: by sheba.arc.nasa.gov (8.6.8/1.2); Thu, 11 Aug 1994 09:20:30 -0700
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Steven Schoch <schoch@sheba.arc.nasa.gov>
Message-Id: <9408110920.ZM12629@sheba.arc.nasa.gov>
Date: Thu, 11 Aug 1994 09:20:29 -0700
X-Face: K5i!Jd+&(ULhqxHaUa]Io_ZJ{~+aY1~TjL=!DDsksqJj!y<s[@<zQ1XL"b; 4U\{I:u':uZZ>Fr=8[Po(4Xy,'bN>>b$8D#!GRdXO/}t=q}%T5ZxA$4P@+[hJAs7x]|+ChBdurcJqCO$'tWhNO^Y%va%r)pj!J5\zX=1s8"
X-Mailer: Z-Mail (3.0.1 23feb94)
To: telnet-ietf@cray.com
Subject: Telnet Authentication: Simple-Strong Authentication
Cc: telnet@sheba.arc.nasa.gov
Mime-Version: 1.0
Encoding: 2 TEXT BOUNDARY, 9 MESSAGE, 2 TEXT BOUNDARY, 82 MESSAGE, 3 TEXT BOUNDARY
Content-Type: multipart/mixed; boundary="PART-BOUNDARY=.19408110920.ZM12629.arc.nasa.gov"
Content-Length: 3497

We have a working implementation of Telnet Authentication using the
Simple-Strong Authentication method.  I would like to see this proposed
as an internet-draft.  Can I get some feedback from the IETF group on this?
Thanks.

	Steve





							    Steven Schoch
							    NASA Ames
							    August 1994


               Telnet Authentication: Simple-Strong Authentication


1. Command Names and Codes

   Authentication Types

      SSA  23	(this number may change!)

2.  Command Meanings

   IAC SB AUTHENTICATION IS <authentication-type-pair> <SSA token> IAC SE

      This is used to pass the Simple-Strong Authentication token to
      the remote side of the connection.  The first octet of the
      <authentication-type-pair> value is SSA, to indicate the use of
      the Simple-Strong Authentication method.

      The format of the Simple-Strong Authentication token is defined
      as the "Authentication Value" in the NIST document "Output from
      the March 1994 OSE Implementors Workshop", part 12, section
      9.1.1.1, and the X.511 standard (ISO9594-3).  For the purposes of
      the telnet protocol, the "certification-path" element of
      "StrongCredentials" is not OPTIONAL.

      The token will be encoded using the ASN.1 Basic Encoding Rules (BER).

      Currently, the Simple-Strong-Authentication method only supports
      one-way authentication.  Therefore the second octet of the
      <authentication-type-pair> must be AUTH_HOW_ONE_WAY.

3.  Implementation Rules

   Because the purpose of this authentication type is to avoid sending
   clear-text passwords over the network, it is recommended that the
   client only send "Authentication-Value" tokens of type "Strong", not
   "Simple".  This implies that the more-restrictive Distinguished
   Encoding Rules (DER) as defined in X.509 (ISO9594-8) be used.

   The "Strong" authentication token has the "Intended-Recipient" as
   one of its elements.  Possible values for this element are the
   pseudo-DN "@o=Internet@presentationAddress=Internet=<IP address>"
   where <IP address> is the IP address of the server to which the
   client is connected, the pesudo-DN "@cn=<host.domain-name>" where
   <host.domain-name> is the fully-qualified domain name of the server,
   or a real DN that has been assigned to the server.  Another possibility
   is to use a DN as specified in RFC-1608 or RFC-1609.

   The server will determine the identity of the sender of the token
   from the subject of the certificate sent as the first element of the
   "Certification-Path".  If no IAC SB AUTHENTICATION NAME has been
   sent by the client, the server determines the user name by referring
   to a table that maps DNs to user names.  If an IAC SB AUTHENTICATION
   NAME has been sent, the server determines whether the sender of the
   token is authorized to login as the user name by referring to a
   (possibly different) table which contains a list of possible user names
   for each DN.

Author's Address

   Steven Schoch NASA
   Ames Research Center
   m/s 233-18
   Moffett Field, CA 94035

   Phone: (415) 604-4121
   EMail: schoch@sheba.arc.nasa.gov

v2.23.0 | Report a Bug | By Email