Options

authsrv takes no command-line options, reading its configuration information from the firewall Toolkit configuration file netperm-table(5). All configuration rules in netperm-table for application “authsrv” are read, and the following clauses and parameters are recognized:

database pathname

This command specifies the pathname of the authsrv database. The database is stored as a dbm(3) file with a third file used for locking. If the software is built with a compiled-in database name, this option need not be set, otherwise it is mandatory.

The following command indicates that authsrv should return “user-friendly” error messages when users attempt to authenticate and fail:

nobogus true

The default message is simply to respond, “Permission Denied,” or to return a bogus challenge. If nobogus is set, attempts to log in will return more explicit error messages. Site administrators concerned about attempts to probe the authentication server should leave this option disabled.

The following command establishes a “sleep time” for repeated bad logins:

badsleep seconds

If a user attempts to authenticate five times and fails, their user record is marked as suspicious, and they cannot log in again. If the badsleep value is set, the user may attempt to log in again after that many seconds has expired. If the badsleep value is 0, users may attempt (and fail) to log in as many times as they would like. The default value is to effectively disable the account until an administrator re-enables it manually.

To specify the userid that authsrv should run under, use a name from the password database, or a numeric userid in the command:

userid name

To specify that authsrv should permit the named host or addresses to use the service, add this command:

hosts host-pattern [key]

Hosts that do not have a matching entry are denied use of the service. If the optional key is specified, and the software is compiled with DES-encrypted communications, all traffic with that client will be encrypted and decrypted with the specified key.

Commands

The following command implements the first part of the authentication sequence:

authorize username

If the authorize command is issued after a user has already authenticated to the authentication server, their current authentication is cleared.

To implement the second part of the authentication sequence, the following command is used. This is returned in response to a password or challenge query from the authentication server:

response <text>

To disconnect from the authentication server, issue:

quit or exit

To display the status, authentication protocol, and last login of the specified user, issue the command:

display username

Before the authentication server permits the use of this command, the user must first be authenticated to the server as the administrator, or the group administrator of the group to which the user belongs.

To add a user to the authentication database, enter the command:

adduser username [longname]

Before the authentication server permits the use of this command, the user must first be authenticated to the server as the administrator or as a group administrator. If the user is a group administrator, the newly created user is automatically initialized as a member of that group. When a user is added, he or she is initially disabled. If a long name is provided, it will be stored in the database. Long names should be quoted if they contain white space, as in this example:

adduser mjr “Marcus J. Ranum”

To delete the specified user from the authentication database, use the command:

deluser username

Before this command can be used, the user must first be authenticated to the server as the administrator or group administrator of the group to which the user being deleted belongs.

The following commands enable and disable the specified user’s account for login:

enable username
disable username

Before this command can be used, the user must first be authenticated to the server as the administrator or group administrator of the group to which the user being enabled or disabled belongs.

To set the password for the current user, issue:

password [username] text

If an optional username is given and the authenticated user is the administrator or group administrator, the password for the specified user is changed. The password command is polymorphic depending on the user’s specified authentication protocol. For example, if the user’s authentication protocol is plaintext passwords, the command will update the plaintext password. If the authentication protocol is SecurID with PINs, it will update the PIN.

The following command sets the authentication protocol for the specified user to the named protocol:

proto user protoname

Available protocols depend on the compiled-in support within authsrv. To change a user’s authentication protocol, the user must be authenticated to the server either as the administrator or group administrator of the user’s group. To set the specified user’s group, use the command:

group user groupname