|
|
| Previous | Table of Contents | Next |
The operation rule is essential to administrators who want to restrict the commands that can be executed by certain users at certain times. This is done by adding configuration rules consisting of the user, the operation, and the time restrictions to the netperm-table. These rules apply to the authsrv command and not to the individual proxies themselves. Consider the example shown here:
authsrv permit-operation user chrish telnet-gw relay.cdnnet.ca time 08:00 17:00 authsrv deny-operation user paulp telnet-gw mailserver.comewhere.com time 17:01 07:59 authsrv permit-operation group admin telnet-gw * time 08:00 17:00
You can see that through careful consideration, the availability of various services can be tightly controlled depending on the environment and the organization’s security policy. With the authentication server configured and ready, users must now be added so that they can be authenticated whenever necessary.
Before a user can be authenticated by the server, the user must be added to the database. This can be done by using the authsrv command. When invoking authsrv on the firewall with a userid of zero, authsrv grants administrative privileges for the database.
The authentication server has a number of commands, listed in table 6.16, for user administration.
| Command | Description |
|---|---|
| adduser username [longname] | Adds a user to the authentication database. Before the authentication server permits the use of this command, the administrator must first be authenticated to the server as an administrator or a group administrator. If the user is a group administrator, the newly created user is automatically initialized as a member of that group. When a user is added, the user is initially disabled. If a long name is provided, it will be stored in the database. Long names should be quoted if they contain whitespace. |
| deluser username | Deletes the specified user from the authentication database. Before an administrator can use this command, he or she must first be authenticated to the server as the administrator or group administrator of the group to which the user belongs. |
| display username | Displays the status, authentication protocol, and last login of the specified user. Before the authentication server permits the use of this command, the administrator must first be authenticated to the server as the administrator or as the group administrator of the group to which the user belongs. |
| enable username or disable username | Enables or disables the specified user’s account for login. Before this command can be used, the administrator must first be authenticated to the server as the administrator or group administrator of the group to which the user belongs. |
| group user groupname | Sets the specified user’s group. To use this command, the administrator must first be authenticated to the server as the administrator. Group administrators do not have the power to “adopt” members. |
| list [group] | Lists all users that are known to the system, or the members of the specified group. Group administrators may list their own groups, but not the entire database. The list displays several fields, including: • user. The login ID of the user. • group. The group membership of the user. If none is listed, the user is in no group. • longname. The user’s full name. This may be left blank. • status. Contains codes indicating the user’s status. |
| password [username] text | Sets the password for the current user. If an optional username is given and the authenticated user is the administrator or group administrator, the password for the specified user is changed. The password command is polymorphic depending on the user’s specified authentication protocol. For example, if the user’s authentication protocol is plaintext passwords, it will update the plaintext password. If the authentication protocol is SecurID with PINs, it will update the PIN. |
| proto user protoname | Sets the authentication protocol for the specified user to the named protocol. Available protocols depend on the compiled-in support within authsrv. To change a user’s authentication protocol, the administrator must be authenticated to the server either as the administrator or group administrator of the user’s group. |
| quit or exit | Disconnects from the authentication server. |
| superwiz user | Sets the specified user as a global administrator. This command should only be used with deliberation; global administrative privileges are seldom used because the group mechanism is powerful enough. |
| wiz user or unwiz user | Sets or turns off the group administrator flag on the specified user. To issue this command, the administrator must be authenticated to the server as the administrator. |
| ? or help | Lists a short synopsis of available commands. |
To illustrate the use of these administrator commands, suppose you want to add a new user to the database. To do this, make sure you are logged in as root on the firewall, and run the authsrv command:
pc# pwd /usr/local/etc pc# ./authsrv authsrv#
At this point, you can run any command shown in table 6.16. To add a user, use both the username and the long name with the command:
authsrv# adduser chrish “Chris Hare” ok - user added initially disabled authsrv#
Notice that the user, although added, is initially disabled. No password is associated with the user. At this point, you need to set a password for the user, and specify the group to which the user belongs.
authsrv# password chrish whisper Password for chrish changed. authsrv# group chrish production set group authsrv#
Now that the password and group membership are changed, identify the authentication protocol that will be used for this user. Available protocols depend on the protocols that were compiled when authsrv was built.
authsrv# proto chrish plaintext Unknown protocol “plaintext”, use one of: none password authsrv# proto chrish password changed authsrv# enable chrish enabled authsrv#
| Previous | Table of Contents | Next |