cr1(1M) cr1(1M)
NAME
cr1 - bilateral IAF authentication scheme
SYNOPSIS
cr1 [-r] [-u local_user] [-s local_service]
[-U remote_user] [-M remote_machine] [-S remote_service]
DESCRIPTION
The cr1 scheme executable implements the cr1 identification
and authentication protocol. The cr1 scheme is a bilateral
scheme that operates within the framework of the
Identification and Authentication Facility (IAF).
cr1 identifies and authenticates users on both the server and
the client machines at the time a connection is established.
Both parties in the communication are authenticated through
the use of a key [see cryptkey(1)]. The effective UID of the
process running cr1 determines the key that is used in the
authentication.
Files
/etc/iaf/cr1/keys
cr1 key database
/var/iaf/cr1/log
cr1 log file
Diagnostics
If authentication fails, cr1 exits with a non-zero return
value and logs a reason or reasons in its log file.
USAGE
To instruct a port monitor to use cr1 to protect a service, a
cr1 command line must be registered in the scheme field of the
service's entry in the port monitor's _pmtab file. When a
remote user attempts to access a service on the local system,
the port monitor passes the command to the invoke function,
which executes the program.
The options to cr1 have the following meanings:
-r Indicates that the scheme will operate in the role
of responder. If this option is not specified,
the scheme operates in the role of imposer.
Copyright 1994 Novell, Inc. Page 1
cr1(1M) cr1(1M)
-u local_user
Indicates the local logname local_user.
-s local_service
Indicates the local service name local_service.
-U remote_user
Indicates the remote logname remote_user.
-M remote_machine
Indicates the remote system remote_machine.
-S remote_service
Indicates the remote service name remote_service.
If the -u option is used in the responder role, the cr1 scheme
attempts to use the key shared by the local and remote
machines. If this key is not available to the application (or
if no -u option is used), the cr1 scheme will attempt to use
the key shared by the local effective user and the principal
indicated by the -M and -U options.
The imposer will use the corresponding key shared by the
responder and the local effective user.
The options -u and -s indicate that the local user name and
the name of the local service, respectively, are to be passed
to the remote machine in the authentication exchange. The -U
and -M options instruct cr1 to use the remote machine name and
the remote user name, respectively, to look up keys in its
database.
The cr1 executable program implements the cr1 protocol,
assuming that file descriptors 0, 1, and 2 have been set to
the connection to be authenticated. The file descriptors are
set by the invoke library function [see invoke(3I)].
Upon successful completion of an authentication exchange, the
cr1 program exits with a value of 0 and associates appropriate
values with the authenticated connection, using the putava and
setava functions. The associated values may then be used by
applications using the authenticated connection, using the
getava and retava functions.
Copyright 1994 Novell, Inc. Page 2
cr1(1M) cr1(1M)
Note that, by default, cr1 uses DES encryption. For this to
work, both machines using authentication must have the
Encryption Utilities package installed. If this package is
not available, the machines can use authentication using
ENIGMA encryption, by invoking cr1 as cr1.enigma.
REFERENCES
cryptkey(1), getava(3I), getkey(3N), invoke(3I), keymaster(1M)
Copyright 1994 Novell, Inc. Page 3