Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ cr1(1M) — UnixWare 2.01

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

cryptkey(1)

getava(3I)

getkey(3N)

invoke(3I)

keymaster(1M)






       cr1(1M)                                                      cr1(1M)


       NAME
             cr1 - bilateral IAF authentication scheme

       SYNOPSIS
             cr1 [-r] [-u local_user] [-s local_service]
                   [-U remote_user] [-M remote_machine] [-S remote_service]

       DESCRIPTION
             The cr1 scheme executable implements the cr1 identification
             and authentication protocol.  The cr1 scheme is a bilateral
             scheme that operates within the framework of the
             Identification and Authentication Facility (IAF).

             cr1 identifies and authenticates users on both the server and
             the client machines at the time a connection is established.
             Both parties in the communication are authenticated through
             the use of a key [see cryptkey(1)].  The effective UID of the
             process running cr1 determines the key that is used in the
             authentication.

          Files
             /etc/iaf/cr1/keys
                            cr1 key database
             /var/iaf/cr1/log
                            cr1 log file

          Diagnostics
             If authentication fails, cr1 exits with a non-zero return
             value and logs a reason or reasons in its log file.

       USAGE
             To instruct a port monitor to use cr1 to protect a service, a
             cr1 command line must be registered in the scheme field of the
             service's entry in the port monitor's _pmtab file.  When a
             remote user attempts to access a service on the local system,
             the port monitor passes the command to the invoke function,
             which executes the program.

             The options to cr1 have the following meanings:

             -r          Indicates that the scheme will operate in the role
                         of responder.  If this option is not specified,
                         the scheme operates in the role of imposer.





                           Copyright 1994 Novell, Inc.               Page 1













      cr1(1M)                                                      cr1(1M)


            -u local_user
                        Indicates the local logname local_user.

            -s local_service
                        Indicates the local service name local_service.

            -U remote_user
                        Indicates the remote logname remote_user.

            -M remote_machine
                        Indicates the remote system remote_machine.

            -S remote_service
                        Indicates the remote service name remote_service.

            If the -u option is used in the responder role, the cr1 scheme
            attempts to use the key shared by the local and remote
            machines.  If this key is not available to the application (or
            if no -u option is used), the cr1 scheme will attempt to use
            the key shared by the local effective user and the principal
            indicated by the -M and -U options.

            The imposer will use the corresponding key shared by the
            responder and the local effective user.

            The options -u and -s indicate that the local user name and
            the name of the local service, respectively, are to be passed
            to the remote machine in the authentication exchange.  The -U
            and -M options instruct cr1 to use the remote machine name and
            the remote user name, respectively, to look up keys in its
            database.

            The cr1 executable program implements the cr1 protocol,
            assuming that file descriptors 0, 1, and 2 have been set to
            the connection to be authenticated.  The file descriptors are
            set by the invoke library function [see invoke(3I)].

            Upon successful completion of an authentication exchange, the
            cr1 program exits with a value of 0 and associates appropriate
            values with the authenticated connection, using the putava and
            setava functions.  The associated values may then be used by
            applications using the authenticated connection, using the
            getava and retava functions.





                          Copyright 1994 Novell, Inc.               Page 2













       cr1(1M)                                                      cr1(1M)


             Note that, by default, cr1 uses DES encryption.  For this to
             work, both machines using authentication must have the
             Encryption Utilities package installed.  If this package is
             not available, the machines can use authentication using
             ENIGMA encryption, by invoking cr1 as cr1.enigma.

       REFERENCES
             cryptkey(1), getava(3I), getkey(3N), invoke(3I), keymaster(1M)








































                           Copyright 1994 Novell, Inc.               Page 3








Typewritten Software • bear@typewritten.org • Edmonds, WA 98026