Authorize who to do what.
Authentication of user will be done using protocol specified in
authProto.
Identification about "who the client's user is"
is done based on Identification protocol to the client host
if it supports the protocol.
Otherwise FTP-server may be used as an authentication server.
In HTTP-DeleGate, user declares "who am i" giving an
Authorization header (in request message), which consists of
Username:Password,
where Username can be in a form of User@Host.
Given a set of User, Host and Password,
DeleGate tries to login to the (FTP) server on Host
with User and Password.
If succeed, then the client is authenticated to be
User@Host.
Currently following categories of authentication/authorization
are supported:
Enables the remote configuration and administration of DeleGate via
HTTP (or HTTPS) at "http://delegateHost:Port/-/admin/".
It allows a user to do remote administration
if the user is authenticated with authServ,
and if the user is in listOfUsers. For example,
AUTH=admin:-pam:user authorizes the user if
authenticated with PAM.
AUTH=admin is the abbreviation of AUTH="admin:-pam:%O"
where "%O" represents the owner of this DeleGate process.
Empty authServ as
AUTH=admin::user:pass means authorizing
the username user with password pass.
If ":listOfHosts" is specified, users to be authorized must access
from a client hosts in the list.
A DeleGate of arbitrary protocol (regardless of SERVER=protocol)
can have a port for remote administration
by specifying a port devoted to administration with "/admin" modifier like
"-PuserPort,adminPort/admin" option.
Example:
SERVER=pop -P110,9110/admin AUTH=admin::admin:password
The URL for remote administration of this DeleGate (as a POP proxy) is
"https://delegateHost:9110/-/admin/"
If specified, A DeleGate forwards E-mail address of a client's user
(which is declared by the user) to the target FTP server as an
anonymous password.
Without this AUTH, HTTP-DeleGate will send ADMIN's E-mail address
by default.
The E-mail address must be in the form of user@host,
otherwise (if the host part is not given) the FTP login is
rejected by DeleGate.
HTTP-DeleGate asks anonymous users to declare his/her E-mail address
as Username part in Authorization.
If passWord field is specified as "*" (i.e. AUTH="anonftp:*:*"),
then any Password in the Authorization will be acceptable.
In FTP-DeleGate, the E-mail address must be given as a password (in PASS
command) for the anonymous user, and the password is used for matching
with passWord too.
The second field must be "*" in current implementation.
If specified, DeleGate verifies (using the SMTP protocol) the validity
of E-mail address given by anonymous users.
In HTTP-DeleGate, the E-mail address must be given as Username
part in Authorization.
In FTP-Delegate, it must be given as a password for the anonymous
user.
With this AUTH, invalid E-mail addresses can be rejected.
When the address is valid but is in a format like "user@host",
it will be expanded automatically to a FQDN format like
"user@host.domain".
If the third field is "-" (i.e. AUTH="anonftp:smtp-vrfy:-@*")
only the connectivity to mail server at "host.domain" is checked.
Specify identification/authorization protocols for the
DeleGate as a HTTP proxy server.
This parameter is checked only when access control for user
is specified in PERMIT or RELIABLE.
ident
-- Identification protocol [default]
pauth
-- Use Proxy-Authorization field "user@host:password"
auth
-- Use Authorization field "user@host:password"
Example:
AUTH=proxy:auth PERMIT="*:*:{*,!?}@*"
// Any user at any host is allowed as long as he/she is identified.
Note:
When the client does not support Proxy-Authentication,
you are obliged to use "proxy:auth" for Authentication.
In such case, note that the client cannot access
resources which requires Authentication.
In the case where the FTP-server based authentication is used,
a recommended user name of the authorization information is
e-mail address like "user@host.domain"
so that it can be commonly used for both AUTH="anonftp" and AUTH="proxy".