cr1(1Mbnu)

cr1 -- bilateral IAF authentication scheme

Synopsis

cr1 [-r] [-u local_user] [-s local_service] [-U remote_user]
[-M remote_machine] [-S remote_service]

Description

The cr1 scheme executable implements the cr1 identification and authentication protocol. The cr1 scheme is a bilateral scheme that operates within the framework of the Identification and Authentication Facility (IAF).

cr1 identifies and authenticates users on both the server and the client machines at the time a connection is established. Both parties in the communication are authenticated through the use of a key (see cryptkey(1bnu)). The effective UID of the process running cr1 determines the key that is used in the authentication.

Options

The options to cr1 have the following meanings:

-r: Indicates that the scheme will operate in the role of responder. If this option is not specified, the scheme operates in the role of imposer.
-u local_user: Indicates the local logname local_user.
-s local_service: Indicates the local service name local_service.
-U remote_user: Indicates the remote logname remote_user.
-M remote_machine: Indicates the remote system remote_machine.
-S remote_service: Indicates the remote service name remote_service.

Files

/etc/iaf/cr1/keys: cr1 key database
/var/iaf/cr1/log: cr1 log file

Usage

To instruct a port monitor to use cr1 to protect a service, a cr1 command line must be registered in the ``scheme'' field of the service's entry in the port monitor's _pmtab file. When a remote user attempts to access a service on the local system, the port monitor passes the command to the invoke(3iac) function, which executes the program.

If the -u option is used in the responder role, the cr1 scheme attempts to use the key shared by the local and remote machines. If this key is not available to the application (or if no -u option is used), the cr1 scheme will attempt to use the key shared by the local effective user and the principal indicated by the -M and -U options.

The imposer will use the corresponding key shared by the responder and the local effective user.

The options -u and -s indicate that the local user name and the name of the local service, respectively, are to be passed to the remote machine in the authentication exchange. The -U and -M options instruct cr1 to use the remote machine name and the remote user name, respectively, to look up keys in its database.

The cr1 executable program implements the cr1 protocol, assuming that file descriptors 0, 1, and 2 have been set to the connection to be authenticated. The file descriptors are set by the invoke library function (see invoke(3iac)).

Upon successful completion of an authentication exchange, the cr1 program exits with a value of 0 and associates appropriate values with the authenticated connection, using the putava and setava functions. The associated values may then be used by applications using the authenticated connection, using the getava and retava functions.

Note that by default, cr1 uses DES encryption. For this to work, both machines using authentication must have the Encryption Utilities package installed. If this package is not available, the machines can use authentication using ENIGMA encryption, by invoking cr1 as cr1.enigma.

Diagnostics

If authentication fails, cr1 exits with a non-zero return value and logs a reason or reasons in its log file.

References

Config(4bnu), cryptkey(1bnu), getava(3iac), getkey(3N), invoke(3iac), keymaster(1Mbnu), Permissions(4bnu)