telnetd and auth options

[Wyllys Ingersoll]

According to the man page for the telnet daemon in 1.2.5
the "-a user" and "-a valid" behavior is defined as follows:

...
  user        Only allow connections when the  remote  user  can
                provide  valid authentication information to iden-
                tify the remote user, and is allowed access to the
                specified account without providing a password.

valid       Only allow connections when the  remote  user  can
                provide  valid authentication information to iden-
                tify the remote user.  The login(1)  command  will
                provide any additional user verification needed if
                the remote user is not allowed automatic access to
                the specified account.
...

This seems to indicate the the "user" authentication option is
  a bit stricter than the "valid" option because "user" indicates that
the user was authenticated AND authorized to access the account
where as the "valid" option just needs proper authentication info.

Looking at the code in libtelnet/kerberos5.c (kerberos5_status)...

kerberos5_status(ap, name, level)
	Authenticator *ap;
	char *name;
	int level;
{
  	if (level < AUTH_USER)
		return(level);

	if (UserNameRequested &&
             krb5_kuserok(telnet_context, ticket->enc_part2->client,
			 UserNameRequested))
	{
          	/* the name buffer comes from telnetd/telnetd{-ktd}.c */
		strncpy(name, UserNameRequested, 255);
		name[255] = '\0';
		return(AUTH_VALID);
	} else
               	return(AUTH_USER);
}

This seems to do the opposite.  If the user is authenticated *and* authorized,
the status is set to VALID, and if the user is authenticated but not
authorized, the status is set to USER.

Is this a discrepency or am I misreading the manpage and/or the code?

-Wyllys Ingersoll
   Sun Microsystems