LOGIN_AUTH(8) BSD System Manager's Manual LOGIN_AUTH(8)NAMElogin_auth - remote authentication service
SYNOPSISlogin_auth [-d] [-s service] [-t tracefile] [-T tracefile] [-v
name=value] name [class]
DESCRIPTION
The login_auth program implements remote authentication (see
login.conf(5)). The authserver entry in the for the users class is used
as the hostname of a machine running the authsrv(8) daemon.
Available options are:
-d Allow stand-alone debugging.
-s Specify the service. Currently only challenge, login, and
response are supported.
-t Place a trace of all data sent and received as it appears on the
wire into the file tracefile. The data is displayed in hexadeci-
mal.
-T Same as the -t flag except the clear text information is also re-
ported. THIS WILL REPORT SENSITIVE INFORMATION, SUCH AS PASS-
WORDS, IN THE CLEAR AND SHOULD ONLY BE USED WHEN DIAGNOSING A
PROBLEM AND NEVER USED IN PRODUCTION.
-v This option and its value are ignored.
Before contacting the server, login_auth first searches the
/etc/authsrv.keys directory for a file which matches the IP address of
the server. A file is deemed to match the IP address if one of the IP
addresses associated with the name (as provided by gethostbyname(3))
match the servers IP address. The first match is used. The file matched
is expected to contain a single line of text which consists of a authen-
tication mode followed by a single space and authentication mode specific
data. The supported authentication modes are:
DES Use DES to encrypt the data. A new random session key is used
for each session, limiting the exposure of the long lived shared
secret key.
MD5 Use MD5 to encrypt the data. A new random noise vector is gener-
ated by each side for each session to confound analysis of multi-
ple sessions.
It is expected that rather than requesting the auth style directly (in
which case authsrv(8) uses a default style) that login_auth will be
linked to the various mechanisms desired. For instance, to have all
CRYPTOCard and ActivCard authentication take place on a remote server via
the remote authentication protocol, remove the login_activ and
login_crypto modules and link login_auth to both of those names. Now
when the user requests one of those authentication styles, login_auth
will automatically forward the request to the remote authsrv(8) and re-
quest it do the requested style of authentication.
SEE ALSOauth(4), login.conf(5), auth-keyx(8), authsrv(8), login(8)BSDI BSD/OS May 16, 1997 1