authuser Object

The authuser (authenticated user) common object specifies the means by which users are to be validated for their roles in proxyuser objects. SunScreen administrative privileges are also often granted based on authuser objects. The authuser common object is automatically saved when it is edited or a new authorized user object is added. The change is not repealed if the edit session is aborted. The Save button in the administration GUI remains greyed out, indicating that no Save is necessary due to such changes.

An authuser object is one of the data objects that defines a SunScreen configuration. You manipulate it through the configuration editor or administration GUI. authuser objects are the repositories for authentication and demographic information used to identify individual users. This information is used to authenticate users by a Screen's access control facilities.

Each authuser object has a name. The name cannot contain the following characters:

! # $ % ^ & * { } [ ] < > " \ ? ` / @ NULL

You can choose the names to coincide with existing, real-world naming schemes for individuals. Thus, "harold.bovis", "Sally Ann Studebaker", and "Rundum, Karr Bo" are examples of legitimate authuser names . The name space of the authorized user is separate from all others in the SunScreen firewall. (In particular, authuser names are different from those that name proxyuser objects.)

Tip: Unlike the names of proxyuser objects, the names of authuser objects are rarely entered by the user directly. The exception to this is their (optional) direct use in administrative access rules (accesslocal and accessremote).

authuser objects store information describing individual users of interest to various SunScreen access control facilities. The data contained within its entries fall into three general groups:

• authentication

• demographics

• control

Authentication information is employed by the processing in the SunScreen firewall to confirm the identity of a potential user. Three types of authentication are supported: simple password, SecurID, and RADIUS. RADIUS authentication does not use authuser objects. A given user object can specify the use of either or both of the other two types simultaneously. Authentication processing attempts to match any password or passcode entered against each type specified in the order present within the entry's record.

(The preceding statement is true within certain limits. For example, a password that cannot possibly be a SecurID passcode will never be presented to that mechanism even if SecurID is specified. If you use the SecurID type, it should be given after all other types.)

The Java-based graphical configuration tools only allow for a single, simple password type or a SecurID type, in that order. Both the authuser objects and the SunScreen authentication processing allow multiple, simple password types to be specified, and each will be tried in the order present. However, entries with multiple, simple password types will not be properly displayed or edited by the Java-based tools.)

Demographic information stored in authuser objects is used to identify users better and to improve and possibly automate user contact:

• DESCRIPTION="desc" - Specifies a plain-text description string desc to be associated with the user entry.

• REAL_NAME-"namestr" - Specifies an optional real name string to be associated with the authuser object.

• CONTACT_INFO="contactstr" - Specifies an optional contact information string to be associated with the authuser object (for example, email address).

Control items are used by the authentication logic to restrict processing, and the like. Each authentication item can have an individual enablement tag, which determines if that particular item is to be processed. The entire object also has such an enablement tag, allowing a user's entry to be turned-off without deleting it. (Technically, the structure that stores the name is also a control item.)

• ENABLED - Allows authentication processing to consider this object. This is the default.

• DISABLED - Does not allow authentication processing from considering this object.

• PASSWORD={ "pwd" pwdarg ... } - Specifies a simple password method to be used for authentication. The pwd field is the user password, in plain-text. The processing for the PASSWORD keyword automatically translates this string from plain-text into crypto-text, and causes a CRYPT_PASSWORD subitem to represent pwd. Thereafter, the plain-text password is displayed as an empty string, with the CRYPT_PASSWORD subitem retaining the password. The subitems for the pwdarg are:

  • CRYPT_PASSWORD="cryptpwd" - The DES-encrypted version of the user's password. This value retains the password in a form that avoids its compromise. When presenting this value to the add verb, the value of pwd should be empty (""). (The password encryption mechanism is the same one used by Solaris' native user password scheme.)

  • ENABLED - Allows authentication processing to attempt to match this password item. This is the default.

  • DISABLED - Does not allow authentication to attempt to match this password item.

• SECURID={ "sidname" sidargs ... } - Specifies the SecurID method to be used for authentication. The sidname is the string in the login: or Default login: field in the SecurID server entry for this user. The subitems within sidargs are:

  • ENABLED - Allows authentication processing to attempt to match this SecurID item. This the default.

  • DISABLED - Does not allow authentication processing to attempt to match this SecurID item.