User Authentication

SunScreen provides the ability to configure user entities. These entities are used to authenticate individual administrators of Screens and to allow access through the Screen when using proxied services.

Authentication enables you to verify the identity of both internal and external users based on user name and a simple text password, or on a user name and SecurID token passcode, or both.

Proxies provide a means to validate, regulate, and extend the abilities of certain services beyond those afforded by kernel-based stateful packet filtering. (See Chapter 10, Proxies.)

User Identification

SunScreen contains two aspects of user identification: authorized user (as defined in the authuser database) and proxy user (as defined in the proxyuser database). In addition, there is an alias, administrative users, for authorized users. Administrative users are functionally identical to authorized users and their role is defined by the access rules.

Save Is Not Required With Certain Common Objects

The common objects authorized user, administrative user, and proxy user that appear in the administration GUI are automatically saved when they are edited or new objects are added. You do not need to save these objects. Once these objects are added or edited, the change applies immediately and cannot be reversed. The Save button in the administration GUI is greyed out to show that it is inactive.

Although the changes made to these objects are saved immediately, they do not take effect until a policy is activated. The administration GUI edits authorized users, which are authuser objects; administrative users, which are adminuser objects; or proxy users, which are proxyuser objects.

From the command line, you do not need to type save before quit if only authuser, adminuser, proxyuser, logmacro, or vars entities have been altered. If you attempt to save without changing entities other than authuser, proxyuser, logmacro, or vars, you are reminded by a nonfatal message and you can simply quit the configuration editor.

Once changes have been made to these objects, the system configuration must be activated to install the new objects and to propagate these changes to secondary Screens.