|
Previous | Table of Contents | Next |
To use this command, a user must first be authenticated to the server as the administrator. Group administrators do not have the power to adopt members.
The following commands set and clear the group administrator flag on the specified user. To issue this command, a user must be authenticated to the server as the administrator.
wiz user unwiz user
This command sets the specified user as a global administrator:
superwiz user
Warning: The superwiz command should be used with caution. Usually the group mechanism is powerful enough for most system maintenance. For this reason, global administrative privileges are seldom used.
To list all users that are known to the system, or the members of the specified group, use the command:
list [group]
Group administrators may list their own groups, but not the entire database. The list displays several fields, including:
To list a short synopsis of available commands, use this command:
? or help
To determine if the named user is allowed to perform the specified service, use the command:
operation user username service dest [other tokens] [time low# high#]
The service might be any one of the application gateways such as telnet-gw, ftp-gw, or rlogin-gw. The destination is any valid IP domain. The optional tokens are matched as wildcards to permit a proxy to specify more detailed operations. If a matching rule is found, the appropriate response is returned to the client. If no match is found, a message indicating that no match was found is returned to the client program. Here is an example:
operation user mjr telnet-gw relay.tis.com operation user mjr ftp-gw relay.tis.com put
Operation rules are stored in the netperm-table. For each user/group the name is specified followed by the service destination [optional tokens ] [time start end ]. The user/group field indicates whether the record is for a user or a group. The name is either the username or the group name. The service can be any service specified by the proxy (usually ftp-gw, tn-gw, or rlogin-gw); the destination can be any valid domain name. The optional tokens are checked for a match, permitting a proxy to send a specific operation check to the authentication server. The time field is optional and must be specified time start_time end_time. The start_time and end_time parameters can be in the range 00:00 to 23:59. Here are a string of commands that specify who can use a service and when:
authsrv permit-operation user mjr telnet-gw relay.tis.com time 08:00 17:00 authsrv deny-operation user mjr telnet-gw relay.tis.com time 17:01 07:59 authsrv permit-operation group admin telnet-gw * time 08:00 17:00 authsrv deny-operation user mjr telnet-gw relay.tis.com time 17:01 07:59 authsrv permit-operation group admin telnet-gw *.com authsrv deny-operation group admin ftp-gw *.com put time 00:00 23:59
Installation
To install authsrv, configure the database option in netperm-table and initialize the database. To initialize the database, use the command su to go to the root directory, run authsrv at the command line, then issue the following commands:
# # authsrv -administrator mode- authsrv# list Report for users in database user group longname ok? proto last ---- ----- -------- --- ----- ---- authsrv# adduser admin Auth DBA ok - user added initially disabled authsrv# ena admin enabled authsrv# proto admin Snk changed authsrv# pass 160 270 203 065 022 034 232 162 admin Secret key changed authsrv# list Report for users in database user group longname ok? proto last ---- ----- -------- --- ----- ---- admin Auth DBA ena Snk never authsrv# quit #
In this example, the administrator account is established, then enabled, a protocol is assigned, and the initial password is set. The format of the set password depends on the authentication protocol used for the record. In this example, the administrator record is using a SecureNet Key, so the password record consists of the shared secret key used by the device.
After the database is initialized, add necessary hosts entries to netperm-table, install authsrv in inetd.conf, then restart inetd. Verify that authsrv is running by trying to telnet to the service port.
Note: Ensure that the database is protected against casual perusal by checking its file permissions.
Synopsis
ftp-gw [autheduser] [user@host]
Description
ftp-gw provides pass-through FTP proxy services with logging and access control. When ftp-gw is invoked from inetd, it reads its configuration and checks to see if the system that has just connected is permitted to use the proxy. If not, ftp-gw shuts down the connection, displays a message, and logs the connection. If the peer is permitted to use the proxy, ftp-gw enters a command loop in which it parses all FTP requests and passes them to a remote FTP server. Any FTP request can be selectively logged or blocked by the proxy.
Two methods are supported to permit users to specify the system they want to FTP to through the proxy. The most commonly used is encoding the destination system name in the username:
% ftp gatekeeper Connected to gatekeeper. 220 gatekeeper FTP proxy (Version 1.0) ready. Name (host:user): user@somplace 331-(----GATEWAY CONNECTED TO someplace----) 331-(220 someplace FTP server (Version 5.60/mjr) ready.) 331 Password required for user. Password: 230 User user logged in. Remote system type is Unix. Using binary mode to transfer files. ftp< quit 221 Goodbye. %
Previous | Table of Contents | Next |