1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
|
<pre>Network Working Group Mike StJohns
Request for Comments: 931 TPSC
Supersedes: <a href="./rfc912">RFC 912</a> January 1985
<span class="h1">Authentication Server</span>
STATUS OF THIS MEMO
This RFC suggests a proposed protocol for the ARPA-Internet
community, and requests discussion and suggestions for improvements.
This is the second draft of this proposal (superseding <a href="./rfc912">RFC 912</a>) and
incorporates a more formal description of the syntax for the request
and response dialog, as well as a change to specify the type of user
identification returned. Distribution of this memo is unlimited.
INTRODUCTION
The Authentication Server Protocol provides a means to determine the
identity of a user of a particular TCP connection. Given a TCP port
number pair, it returns a character string which identifies the owner
of that connection on the server's system. Suggested uses include
automatic identification and verification of a user during an FTP
session, additional verification of a TAC dial up user, and access
verification for a generalized network file server.
OVERVIEW
This is a connection based application on TCP. A server listens for
TCP connections on TCP port 113 (decimal). Once a connection is
established, the server reads one line of data which specifies the
connection of interest. If it exists, the system dependent user
identifier of the connection of interest is sent out the connection.
The service closes the connection after sending the user identifier.
RESTRICTIONS
Queries are permitted only for fully specified connections. The
local/foreign host pair used to fully specify the connection are
taken from the query connection. This means a user on Host A may
only query the server on Host B about connections between A and B.
<span class="grey">StJohns [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc931">RFC 931</a> January 1985</span>
Authentication Server
QUERY/RESPONSE FORMAT
The server accepts simple text query requests of the form
<local-port>, <foreign-port>
where <local-port> is the TCP port (decimal) on the target (server)
system, and <foreign-port> is the TCP port (decimal) on the source
(user) system.
For example:
23, 6191
The response is of the form
<local-port>, <foreign-port> : <response-type> : <additional-info>
where <local-port>,<foreign-port> are the same pair as the query,
<response-type> is a keyword identifying the type of response, and
<additional info> is context dependent.
For example:
23, 6191 : USERID : MULTICS : StJohns.DODCSC.a
23, 6193 : USERID : TAC : MCSJ-MITMUL
23, 6195 : ERROR : NO-USER
RESPONSE TYPES
A response can be one of two types:
USERID
In this case, <additional-info> is a string consisting of an
operating system name, followed by a ":", followed by user
identification string in a format peculiar to the operating system
indicated. Permitted operating system names are specified in
<a href="./rfc923">RFC-923</a>, "Assigned Numbers" or its successors. The only other
names permitted are "TAC" to specify a BBN Terminal Access
Controller, and "OTHER" to specify any other operating system not
yet registered with the NIC.
<span class="grey">StJohns [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc931">RFC 931</a> January 1985</span>
Authentication Server
ERROR
For some reason the owner of <TCP-port> could not be determined,
<additional-info> tells why. The following are suggested values
of <additional-info> and their meanings.
INVALID-PORT
Either the local or foreign port was improperly specified.
NO-USER
The connection specified by the port pair is not currently in
use.
UNKNOWN-ERROR
Can't determine connection owner; reason unknown. Other values
may be specified as necessary.
CAVEATS
Unfortunately, the trustworthiness of the various host systems that
might implement an authentication server will vary quite a bit. It
is up to the various applications that will use the server to
determine the amount of trust they will place in the returned
information. It may be appropriate in some cases restrict the use of
the server to within a locally controlled subnet.
APPLICATIONS
1) Automatic user authentication for FTP
A user-FTP may send a USER command with no argument to the
server-FTP to request automatic authentication. The server-FTP
will reply with a 230 (user logged in) if it can use the
authentication. It will reply with a 530 (not logged in) if it
cannot authenticate the user. It will reply with a 500 or 501
(syntax or parameter problem) if it does not implement automatic
authentication. Please note that no change is needed to currently
implemented servers to handle the request for authentication; they
will reject it normally as a parameter problem. This is a
suggested implementation for experimental use only.
2) Verification for privileged network operations. For example,
having the server start or stop special purpose servers.
<span class="grey">StJohns [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc931">RFC 931</a> January 1985</span>
Authentication Server
3) Elimination of "double login" for TAC and other TELNET users.
This will be implemented as a TELNET option.
FORMAL SYNTAX
<request> ::= <port-pair> <CR> <LF>
<port-pair> ::= <integer-number> "," <integer-number>
<reply> ::= <reply-text> <CR> <LF>
<reply-text> ::= <error-reply> | <auth-reply>
<error-reply> ::= <port-pair> ":" ERROR ":" <error-type>
<auth-reply> ::= <port-pair> ":" USERID ":" <opsys> ":" <user-id>
<error-type> ::= INVALID-PORT | NO-USER | UNKNOWN-ERROR
<opsys> ::= TAC | OTHER | MULTICS | UNIX ...etc.
(See "Assigned Numbers")
Notes on Syntax:
1) White space (blanks and tab characters) between tokens is not
important and may be ignored.
2) White space, the token separator character (":"), and the port
pair separator character (",") must be quoted if used within a
token. The quote character is a back-slash, ASCII 92 (decimal)
("\"). For example, a quoted colon is "\:". The back-slash must
also be quoted if its needed to represent itself ("\\").
Notes on User Identification Format:
The user identifier returned by the server should be the standard one
for the system. For example, the standard Multics identifier
consists of a PERSONID followed by a ".", followed by a PROJECTID,
followed by a ".", followed by an INSTANCE TAG of one character. An
instance tag of "a" identifies an interactive user, and instance tag
of "m" identifies an absentee job (batch job) user, and an instance
tag of "z" identifies a daemon (background) user.
Each set of operating system users must come to a consensus as to
<span class="grey">StJohns [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc931">RFC 931</a> January 1985</span>
Authentication Server
what the OFFICIAL user identification for their systems will be.
Until they register this information, they must use the "OTHER" tag
to specify their user identification.
Notes on User Identification Translation:
Once you have a user identifier from a remote system, you must then
have a way of translating it into an identifier that meaningful on
the local system. The following is a sketchy outline of table driven
scheme for doing this.
The table consists of four columns, the first three are used to match
against, the fourth is the result.
USERID Opsys Address Result
MCSJ-MITMUL TAC 26.*.*.* StJohns
* MULTICS 192.5.42.* =
* OTHER 10.0.0.42 anonymous
MSJ ITS 10.3.0.44 StJohns
The above table is a sample one for a Multics system on MILNET at the
Pentagon. When an authentication is returned, the particular
application using the userid simply looks for the first match in the
table. Notice the second line. It says that any authentication
coming from a Multics system on Net 192.5.42 is accepted in the same
format.
Obviously, various users will have to be registered to use this
facility, but the registration can be done at the same time the use
receives his login identity from the system.
StJohns [Page 5]
</pre>
|
