Definitions

The authentication types defined in RFC 1416 are:

• KERBEROS_V4
• KERBEROS_V5
• SPX
• RSA
• LOKI

RFC 1416 does not define how authentication shall be performed for these types. It only provides the framework which can be used for exchange of the authentication information.

The standard defines an option called AUTHENTICATION with the following sub-options:

SEND

Used by the server to send a list of supported authentication type pairs (described below) to the client.

IS

Used by the client to select and send authentication information for an authentication type supported by the server.

REPLY

Used by the server to reply to the authentication information received in a previous IS command. Also used to authenticate the server to the client.

NAME

Used by the client to specify an account name on the remote host that the user wants to use.

Authentication-type-pairs are used to specify supported and selected authentication methods. An authentication type pair consists of an authentication type byte and an authentication type ``modifier'' byte.

The authentication type byte is one of the types listed above (e.g. KERBEROS_V4) or a new type specified in other Telnet Authentication RFC documents.

Two bits in the modifier byte are currently defined, the AUTH_WHO_MASK and the AUTH_HOW_MASK. The bits defines in what direction(s) the authentication should be performed. The AUTH_WHO_MASK bit can have the value AUTH_CLIENT_TO_SERVER (bit clear) or AUTH_SERVER_TO_CLIENT (bit set). The AUTH_HOW_MASK can have the values AUTH_HOW_ONE_WAY (bit clear) or AUTH_HOW_MUTUAL (bit set). The following list describes the four possible combinations of the modifier bits.

AUTH_CLIENT_TO_SERVER AUTH_HOW_ONE_WAY

Only the client will send authentication information. If the server accepts the information the server has authenticated the client. This corresponds to normal password authentication.

AUTH_SERVER_TO_CLIENT AUTH_HOW_ONE_WAY

Only the server will send authentication information. If successful, the client user will know he connected to the right server.

AUTH_CLIENT_TO_SERVER AUTH_HOW_MUTUAL

The client will first send its authentication information to the server. If the server accepts the information, it will authenticate itself to the client. If both negotiations are successful, both parities will know that it is talking to the party it wants to be connected to.

AUTH_SERVER_TO_CLIENT AUTH_HOW_MUTUAL

This corresponds to the previous case, but here will the server first authenticate itself to the client. If the client accepts the authentication information, the client will send its authentication information to the server.

The authentication-type-pair-list is used to transfer a ordered list of supported authentication types. The first entry in the list is the type of authentication the server would prefer to use.