|
Previous | Table of Contents | Next |
Options
authsrv takes no command-line options, reading its configuration information from the firewall Toolkit configuration file netperm-table(5). All configuration rules in netperm-table for application authsrv are read, and the following clauses and parameters are recognized:
database pathname
This command specifies the pathname of the authsrv database. The database is stored as a dbm(3) file with a third file used for locking. If the software is built with a compiled-in database name, this option need not be set, otherwise it is mandatory.
The following command indicates that authsrv should return user-friendly error messages when users attempt to authenticate and fail:
nobogus true
The default message is simply to respond, Permission Denied, or to return a bogus challenge. If nobogus is set, attempts to log in will return more explicit error messages. Site administrators concerned about attempts to probe the authentication server should leave this option disabled.
The following command establishes a sleep time for repeated bad logins:
badsleep seconds
If a user attempts to authenticate five times and fails, their user record is marked as suspicious, and they cannot log in again. If the badsleep value is set, the user may attempt to log in again after that many seconds has expired. If the badsleep value is 0, users may attempt (and fail) to log in as many times as they would like. The default value is to effectively disable the account until an administrator re-enables it manually.
To specify the userid that authsrv should run under, use a name from the password database, or a numeric userid in the command:
userid name
To specify that authsrv should permit the named host or addresses to use the service, add this command:
hosts host-pattern [key]
Hosts that do not have a matching entry are denied use of the service. If the optional key is specified, and the software is compiled with DES-encrypted communications, all traffic with that client will be encrypted and decrypted with the specified key.
Commands
The following command implements the first part of the authentication sequence:
authorize username
If the authorize command is issued after a user has already authenticated to the authentication server, their current authentication is cleared.
To implement the second part of the authentication sequence, the following command is used. This is returned in response to a password or challenge query from the authentication server:
response <text>
To disconnect from the authentication server, issue:
quit or exit
To display the status, authentication protocol, and last login of the specified user, issue the command:
display username
Before the authentication server permits the use of this command, the user must first be authenticated to the server as the administrator, or the group administrator of the group to which the user belongs.
To add a user to the authentication database, enter the command:
adduser username [longname]
Before the authentication server permits the use of this command, the user must first be authenticated to the server as the administrator or as a group administrator. If the user is a group administrator, the newly created user is automatically initialized as a member of that group. When a user is added, he or she is initially disabled. If a long name is provided, it will be stored in the database. Long names should be quoted if they contain white space, as in this example:
adduser mjr Marcus J. Ranum
To delete the specified user from the authentication database, use the command:
deluser username
Before this command can be used, the user must first be authenticated to the server as the administrator or group administrator of the group to which the user being deleted belongs.
The following commands enable and disable the specified users account for login:
enable username disable username
Before this command can be used, the user must first be authenticated to the server as the administrator or group administrator of the group to which the user being enabled or disabled belongs.
To set the password for the current user, issue:
password [username] text
If an optional username is given and the authenticated user is the administrator or group administrator, the password for the specified user is changed. The password command is polymorphic depending on the users specified authentication protocol. For example, if the users authentication protocol is plaintext passwords, the command will update the plaintext password. If the authentication protocol is SecurID with PINs, it will update the PIN.
The following command sets the authentication protocol for the specified user to the named protocol:
proto user protoname
Available protocols depend on the compiled-in support within authsrv. To change a users authentication protocol, the user must be authenticated to the server either as the administrator or group administrator of the users group. To set the specified users group, use the command:
group user groupname
Previous | Table of Contents | Next |