Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!apple!agate!shelby!ATHENA.MIT.EDU!tytso
From: tytso@ATHENA.MIT.EDU (Theodore Ts'o)
Newsgroups: comp.protocols.kerberos
Subject: Re: Kerberized clients and servers
Message-ID: <9101292119.AA02549@tsx-11.MIT.EDU>
Date: 29 Jan 91 21:19:41 GMT
References: <1991Jan29.130053@IASTATE.EDU>
Sender: news@shelby.stanford.edu (USENET News System)
Reply-To: tytso@ATHENA.MIT.EDU
Organization: Internet-USENET Gateway at Stanford University
Lines: 30


   Date: 29 Jan 91 19:00:53 GMT
   From: john@IASTATE.EDU (Hascall John Paul)

      I am also working on passing similar data in a telnet option, I have
   been using telnet option 40 (if this goes any further an official option
   number should be requested/assigned).  Something like:

	telnet sends                              telnetd sends
	IAC WILL AUTH
						  IAC DO AUTH
	IAC SB AUTH xxxxxx SPACE yyyyyy IAC SE


There is in fact an official authentication option for telnet; the way
it works is much as you describe, it except for some extra complexity so
that the client and the server can negotiate which authentication scheme
they support (Kerberos V4, Kerberos V5, Smartcard, etc.)  Since ftp is
layered on top of telnet, this can also be used to provide
authentication for FTP.

Paul Borman of Cary Research is currently working on the version of
telnet/ftp that will go into BSD 4.4; it will be supporting this
authentication option of telnet.  I don't know whether or not it will be
possible for you to obtain a snapshot of the code to play with.  If it
is possible (and it does not take too much Kerberos V5 development time
away from us to package it up), and there is sufficient interest, we
might be able to make it available via anonymous FTP. 

						- Ted