Telnet Authentication: Simple-Strong Authentication
Steven Schoch <schoch@sheba.arc.nasa.gov> Thu, 11 August 1994 16:35 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa07530; 11 Aug 94 12:35 EDT
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa07526; 11 Aug 94 12:35 EDT
Received: from timbuk.cray.com by CNRI.Reston.VA.US id aa06396; 11 Aug 94 12:35 EDT
Received: from sdiv.cray.com (daemon@ironwood.cray.com [128.162.21.36]) by timbuk.cray.com (8.6.9/8.6.9j) with SMTP id LAA06316; Thu, 11 Aug 1994 11:22:12 -0500
Received: by sdiv.cray.com (5.0/CRI-5.15.b.orgabbr Sdiv) id AA03481; Thu, 11 Aug 1994 11:21:28 +0600
Received: from timbuk.cray.com by sdiv.cray.com (5.0/CRI-5.15.b.orgabbr Sdiv) id AA03476; Thu, 11 Aug 1994 11:21:26 +0600
Received: from sheba.arc.nasa.gov (sheba.arc.nasa.gov [128.102.128.57]) by timbuk.cray.com (8.6.9/8.6.9j) with ESMTP id LAA06270 for <telnet-ietf@cray.com>; Thu, 11 Aug 1994 11:21:25 -0500
Received: by sheba.arc.nasa.gov (8.6.8/1.2); Thu, 11 Aug 1994 09:20:30 -0700
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Steven Schoch <schoch@sheba.arc.nasa.gov>
Message-Id: <9408110920.ZM12629@sheba.arc.nasa.gov>
Date: Thu, 11 Aug 1994 09:20:29 -0700
X-Face: K5i!Jd+&(ULhqxHaUa]Io_ZJ{~+aY1~TjL=!DDsksqJj!y<s[@<zQ1XL"b; 4U\{I:u':uZZ>Fr=8[Po(4Xy,'bN>>b$8D#!GRdXO/}t=q}%T5ZxA$4P@+[hJAs7x]|+ChBdurcJqCO$'tWhNO^Y%va%r)pj!J5\zX=1s8"
X-Mailer: Z-Mail (3.0.1 23feb94)
To: telnet-ietf@cray.com
Subject: Telnet Authentication: Simple-Strong Authentication
Cc: telnet@sheba.arc.nasa.gov
Mime-Version: 1.0
Encoding: 2 TEXT BOUNDARY, 9 MESSAGE, 2 TEXT BOUNDARY, 82 MESSAGE, 3 TEXT BOUNDARY
Content-Type: multipart/mixed; boundary="PART-BOUNDARY=.19408110920.ZM12629.arc.nasa.gov"
Content-Length: 3497
We have a working implementation of Telnet Authentication using the Simple-Strong Authentication method. I would like to see this proposed as an internet-draft. Can I get some feedback from the IETF group on this? Thanks. Steve
Steven Schoch NASA Ames August 1994 Telnet Authentication: Simple-Strong Authentication 1. Command Names and Codes Authentication Types SSA 23 (this number may change!) 2. Command Meanings IAC SB AUTHENTICATION IS <authentication-type-pair> <SSA token> IAC SE This is used to pass the Simple-Strong Authentication token to the remote side of the connection. The first octet of the <authentication-type-pair> value is SSA, to indicate the use of the Simple-Strong Authentication method. The format of the Simple-Strong Authentication token is defined as the "Authentication Value" in the NIST document "Output from the March 1994 OSE Implementors Workshop", part 12, section 9.1.1.1, and the X.511 standard (ISO9594-3). For the purposes of the telnet protocol, the "certification-path" element of "StrongCredentials" is not OPTIONAL. The token will be encoded using the ASN.1 Basic Encoding Rules (BER). Currently, the Simple-Strong-Authentication method only supports one-way authentication. Therefore the second octet of the <authentication-type-pair> must be AUTH_HOW_ONE_WAY. 3. Implementation Rules Because the purpose of this authentication type is to avoid sending clear-text passwords over the network, it is recommended that the client only send "Authentication-Value" tokens of type "Strong", not "Simple". This implies that the more-restrictive Distinguished Encoding Rules (DER) as defined in X.509 (ISO9594-8) be used. The "Strong" authentication token has the "Intended-Recipient" as one of its elements. Possible values for this element are the pseudo-DN "@o=Internet@presentationAddress=Internet=<IP address>" where <IP address> is the IP address of the server to which the client is connected, the pesudo-DN "@cn=<host.domain-name>" where <host.domain-name> is the fully-qualified domain name of the server, or a real DN that has been assigned to the server. Another possibility is to use a DN as specified in RFC-1608 or RFC-1609. The server will determine the identity of the sender of the token from the subject of the certificate sent as the first element of the "Certification-Path". If no IAC SB AUTHENTICATION NAME has been sent by the client, the server determines the user name by referring to a table that maps DNs to user names. If an IAC SB AUTHENTICATION NAME has been sent, the server determines whether the sender of the token is authorized to login as the user name by referring to a (possibly different) table which contains a list of possible user names for each DN. Author's Address Steven Schoch NASA Ames Research Center m/s 233-18 Moffett Field, CA 94035 Phone: (415) 604-4121 EMail: schoch@sheba.arc.nasa.gov
- Telnet Authentication: Simple-Strong Authenticati… Steven Schoch