|
|
The Identification and Authentication Facility (IAF) authenticates network connections independently of the network application. It consists of three components: an invocation function, the cr1 and login authentication schemes, and the ID mapping facility. The cr1 schemes are described in ``cr1 Bilateral Authentication Scheme''. ID mapping is discussed in ``Administering ID mapping''.
Following the establishment of a connection, the connection server and the port monitor each invoke an authentication scheme. Once the client scheme has succeeded, the connection server passes the connection to the client application. Once the server scheme has succeeded, it searches the ID mapping database to determine how the user on the client should be mapped to a user on the server. Minimally, the database consists of a map file that maps user logins on client systems to user logins on the server. Once the scheme maps the client user's identity into a local identity, the port monitor invokes the requested service.
Authentication schemes are invoked by the IAF. UnixWare 7 contains the cr1 authentication scheme. By default, cr1 uses DES encryption, and is referenced as cr1.des. Because of export restrictions on DES, cr1 can also use ENIGMA encryption. When using ENIGMA encryption, cr1 is referenced as cr1.enigma. Other than the underlying encryption algorithm used, all cr1 schemes behave identically. The cr1 schemes operate as follows. The client and server schemes exchange a sequence of encrypted messages. Each system uses a secret key, which it retrieves from its local cr1 key database, to encrypt its own messages and decrypt the other's messages. (A secret key is a bit string known only to the client and server.) By successfully decrypting the other's messages, each machine authenticates the other's identity. The client scheme informs the server scheme of its user's identity.