There are three methods of guaranteeing secure operation of TELNET by means of authentication and encryption:
START-TLS option
The START-TLS option was implemented exclusively for TLS. In BS2000 it is supported by the server option -Z tls-required.
“Telnet Authentication Option” (RFC 2941) for negotiating an authentication method
In BS2000 only TLS is currently supported. The “Telnet Authentication Option” is selected using the option -B. The “Telnet Authentication Option” will possibly gain in importance in the future because it permits a very wide variety of authentication methods to be supported, including Kerberos. In the following, the “Telnet Authentication Option” will be referred to as AUTHENTICATION option.
“Telnet Data Encryption Option” (RFC 2946) for negotiating a symmetric encryption method and the associated key.
In BS2000 only DES 64 (RFC 2952, RFC 2953) is currently supported. The “Telnet Data Encryption Option” is selected using the server option -H. In the following, the “Telnet Data Encryption Option” will be referred to as ENCRYPTION option.
START-TLS option (see "-Z option - Support of the START-TLS option"), AUTHENTICATION option (see "-B option - Enable/disable the AUTHENTICATION option") and ENCRYPTION option (see "-H option - Enable/disable the ENCRYPTION option") are described in detail in the following sections.
In the case of the options below, the equals sign must immediately follow the option name without a space and the option value must immediately follow the equals sign, also without a space.