This section describes how the sub-option commands shall be used. All the sub-option commands defined may be sent by both the client and the server. The following sub-negotiation sequences specifies IS/REPLY as the authentication sub-option. This must be replaced by IS if the sequence is sent by the client, and by REPLY if sent by the server.
IAC SB AUTHENTICATION IS/REPLY <authentication-type-pair> CHALLENGE <challenge> IAC SE
This sequence is used to send the challenge information to the party we want to authenticate. The authentication-type-pair field is the authentication-type-pair selected by the client when it received the AUTHENTICATION SEND command. This pair is sent in all the commands involved in the authentication procedure. It is needed in order to hand the authentication sub-commands on to the right routines in the Telnet client and server applications.
IAC SB AUTHENTICATION IS/REPLY <authentication-type-pair> AUTH <pgp-authentication-information> IAC SE
This sub-option sequence is used to pass the authentication information to the other party. It is sent in response to a CHALLENGE sequence.
IAC SB AUTHENTICATION IS/REPLY <authentication-type-pair> QUERYPUBKEY IAC SE
This is used when one of the sides do not know or wants an updated version of the PGP public key of the other party. It could be used be at any time after the parties has agreed to use PGP authentication.
IAC SB AUTHENTICATION IS/REPLY <authentication-type-pair> PUBKEY <pgp-public-key> IAC SE
This command sends the public key to the remote end. It should only be sent in response to a QUERYPUBKEY sub-option sequence. If this sequence is received and no QUERYPUBKEY has been sent it should be ignored.
IAC SB AUTHENTICATION IS/REPLY <authentication-type-pair> ACCEPT IAC SE
This command indicates that the received authentication information was accepted. If the recipient of this sequence is the client, he is now granted access to the use the server. The receipt of this sequence does not necessarily mean that the authentication procedure is completed. If the AUTH_HOW_MASK bit is set to AUTH_HOW_MUTUAL, the authentication information must be exchanged in both directions.
IAC SB AUTHENTICATION IS/REPLY <authentication-type-pair> REJECT <optional reason for rejection> IAC SE
This command indicates that the authentication was not successful, and if there is any more data in the sub-option, it is an ASCII text message of the reason for the rejection. The text message could be displayed to the user if an (interactive) Telnet client received the REJECT signal, or written to a system log file. Some possible reasons for rejection are: