AUTH_DES Authentication

You might encounter the following situations with AUTH_SYS authentication:

• Caller identification cannot be guaranteed to be unique if machines with differing operating systems are on the same network.

• No verifier exists, so credentials can easily be faked.

AUTH_DES authentication attempts to fix these two problems.

The first issue is handled by addressing the caller by a simple string of characters instead of by an operating system-specific integer. This string of characters is known as the net name or network name of the caller. The server should not interpret the caller's name in any way other than as the identity of the caller. Thus, net names should be unique for every caller in the naming domain.

Each operating system's implementation of AUTH_DES authentication generates net names for its users that ensure this uniqueness when they call remote servers. Operating systems already distinguish users local to their systems. Extending this mechanism to the network is usually a simple matter.

For example, a user with a user ID of 515 might be assigned the following net name: UNIX.515@sun.com. This net name contains three items that serve to ensure it is unique. Backtracking, only one naming domain is called sun.com in the Internet. Within this domain, only one UNIX user has the user ID 515. However, there might be another user on another operating system, for example VMS, within the same naming domain who, by coincidence, happens to have the same user ID. To ensure that these two users can be distinguished, you add the operating system name. So one user is UNIX.515@sun.com and the other is VMS.515@sun.com.

The first field is actually a naming method rather than an operating system name. It just happens that almost a one-to-one correspondence exists between naming methods and operating systems. If there was a common worldwide naming standard, the first field could be a name from that standard, instead of an operating system name.