rfc927.TACACS-User-Identification-Telnet-Option

NetworkWorkingGroupBrianA.AndersonRequestforComments:927BBNDecember1984TACACSUserIdentificationTelnetOptionStatusofthisMemoThisRFCsuggestsaproposedprotocolfortheARPA-Internetcommunity,andrequestsdiscussionandsuggestionsforimprovements.Distributionofthismemoisunlimited.IntroductionThefollowingisthedescriptionofaTELNEToptiondesignedtofacilitatedoubleloginavoidance.ItisintendedprimarilyforTACconnectionstotargethostsonbehalfofTACusers,butitcanbeusedbetweenanytwoconsentinghosts.Forexample,allhostsatonesite(e.g.,BBN)canusethisoptiontoavoiddoubleloginwhenTELNETingtooneanother.1.CommandnameandcodeTUID262.CommandMeaningsIACWILLTUIDThesender(theTELNETuser)proposestoauthenticatetheuserandsendtheidentifingUUID;or,thesender(theTELNETuser)agreestoauthenticatetheuseronwhosebehalftheconnectionisinitiated.IACWON’TTUIDThesender(theTELNETuser)refusestoauthenticatetheuseronwhosebehalftheconnectionisinitiated.IACDOTUIDThesender(theTELNETserver)proposesthattherecipient(theTELNETuser)authenticatetheuserandsendtheidentifingUUID;or,thesender(theTELNETserver)agreestoaccepttherecipient’s(theTELNETuser’s)authenticationoftheuseridentifiedbyhisUUID.Anderson[Page1]RFC927December1984TUIDTelnetOptionIACDON’TTUIDThesender(theTELNETserver)refusestoaccepttherecipient’s(theTELNETuser)authenticationoftheuser.IACSBTUIDuuidIACSEThesender(theTELNETuser)sendstheUUIDuuidoftheuseronwhosebehalftheconnectionisestablishedtothehosttowhichheisconnected.Theuuidisa32bitbinarynumber.3.DefaultWON’TTUIDATELNETuserhost(theinitiatorofaTELNETconnection)notimplementingorusingtheTUIDoptionwillreplyWON’TTUIDtoaDOTUID.DON’TTUIDATELNETserverhost(therecipientofaTELNETconnection)notimplementingorusingtheTUIDoptionreplyDON’TTUIDtoaWILLTUID.4.MotivationfortheOptionUnderTACACS(theTACAccessControlSystem)ausermustbeauthenticated(giveacorrectname/passwordpair)toaTACbeforehecanconnecttoahostviatheTAC.Toavoidasecondauthenticationbythetargethost,theTACcanpassalongtheuser’sprovenidentity(hisUUID)tothethathost.HostsmayaccepttheTAC’sauthenticationoftheuserornot,attheiroption.Thesameoptioncanbeusedbetweenanypairofcooperatinghostsforthepurposeofdoubleloginavoidance.5.DescriptionfortheOptionAtthetimethatahostestablishesaTELNETconnectionforausertoanotherhost,ifthelattersupportstheTUIDoptionandwantstoreceivetheuser’sUUID,itsendsanIACDOTUIDtothetheuser’shost.Iftheuser’shostsupportstheTUIDoptionandwantstoauthenticatetheuserbysendingtheuser’sUUID,itrespondsIACWILLTUID;otherwiseitrespondswithIACWON’TTUID.IfboththeuserandserverTELNETsagree,theuserTELNETwillthensendtheUUIDtotheserverTELNETbysub-negotiation.Anderson[Page2]RFC927December1984TUIDTelnetOption6.ExamplesTherearetwopossiblenegotiationsthatresultinthedoubleloginavoidanceauthenticationofauser.BoththeserverandtheuserTELNETsupporttheTUIDoption.S=Server,U=UserCase1:S-IACDOTUIDU-IACWILLTUIDU-IACSBTUID32-bitUUIDIACSECase2:U-IACWILLTUIDS-IACDOTUIDU-IACSBTUID32-bitUUIDIACSETherearealsotwopossiblenegoitiationsthatdonotresultintheauthenticationofauser.InthefirstexampletheserversupportsTUIDandtheuserTELNETdoesn’t.InthesecondexampletheuserTELNETsupportsTUIDbuttheserverTELNETdoesn’t.S=Server,U=UserCase3:S-IACDOTUIDU-IACWONTTUIDCase4:U-IACWILLTUIDS-IACDONTTUIDTheTUIDistransmittedwiththesubnegotiationcommand.Forexample,iftheUUIDhadthevalue1thefollowingstringofoctetswouldbetransmitted:IACSBTUID0001IACSEIftheUUIDhadthevalue255thefollowingstringofoctetswouldbetransmitted:IACSBTUID000IACIACIACSEAnderson[Page3]RFC927December1984TUIDTelnetOptionIftheUUIDhadthevalueofallonesthefollowingstringofoctetswouldbetransmitted:IACSBTUIDIACIACIACIACIACIACIACIACIACSEAnderson[Page4]