PageViews: 42,633 hits / 329 nets |
home | updates | download | manual | documents | feedback | search | ITS more |
|
AUTHORIZER parameter* == AUTHORIZER=authServList[@realmValue][:connMap] authServList == [authForw,]authServ[,authServ]* | & | * authForw == -map{inPat}{localPat}{fwdPat} | -strip | -fwd authServ == authHost[/portNum][(reprUser)] authHost == hostName | hostAddr realmValue == word | {words separated with space} connMap == ProtoList:dstHostList:srcHostList -- default: none -- restriction: applicable to Telnet, FTP, NNTP, SMTP, IMAP, Socks, SockMux, and HTTP
Note that even a client authorized by an auth-server is not permitted if the client's host does not pass other access controls (RELIABLE and PERMIT). To permit any authorized client regardless of its host, specify as RELIABLE="-a/*". Also RELIABLE="*" works for this purpose but is not safe on modifications of configuration and DeleGate.
Adding connMap, an auth-server can be selected conditionally on a combination of destination protocol, server host and client host. The authServList is a host name of authentication server, or a list of host names of authentication servers. If authServList is followed with "@realmValue", the value is used to define the realm of protection space in HTTP-DeleGate. It can be overridden by MountOption "realm=realmValue" for each MOUNT point.
Currently, the default protocol of remote authentication/authorization server is that of FTP protocol with USER and PASS commands. Thus any real FTP server can be used as an authentication/authorization server of DeleGate. Another way of maintaining DeleGate's own lists for authentication/authorization is using -Fauth function.
There are built-in auth-servers to be used as authServ as follows:
Example:
Example:
The result of the authentication by the command is shown in its output string
or by its exit code.
The command may puts a string to its standard output to show the result
in the form of a status response of the FTP protocol, that is,
"230" for success and "530" for failure.
Otherwise the exit code of the process is used, the value zero for success
and non-zero values for failure.
Example: passing username in argument while password in environment variable
[the content of the myauth command]
// a HTTP proxy or server with the Digest authentication with clients.
SERVER=http AUTHORIZER=-dgauth
// a POP proxy which uses APOP authentication with clients.
SERVER=pop MOUNT="* pop://server/*" AUTHORIZER=-dgauth
Note that most of PAM authentications need to be executed under the
privilege of superuser on Unix (with OWNER="root" option).
But you can avoid running your DeleGate with superuser privilege by
installing external program "dgpam" under DGROOT/subin/.
Also PAM authentication can be delegated to a remote
PAM server.
AUTHORIZER="-list{u1:p1,u2:p2}(local),-pam,-none(anonymous)"
// a user may be authenticated as "local" or as some user name in PAM,
// or "anonymous" otherwise
AUTHORIZER="-cmd{myauth %U}{MYPASS=%P}"
#!/bin/sh
if [ "$1" = "user1" -a "$MYPASS" = "pass1" ]; then
echo "230 SUCCESS"
else
echo "530 FAILURE"
fi
The "-map" prefix is used to split incoming authentication information
of USER and PASS (in inPat pattern) into a pair of authentications,
the one to be used locally by authServList (in localPat) and
another to be forwarded to the server (in fwdPat).
Each authentication information to be matched or generated is represented
by a string of a pair of a user name and a password as
"username:password".
If the username string generated by fwdPat ends with a substring as
"@Host" then it is striped and the Host is used as
the destination server.
The string is matched and generated by the pattern specification format
common to the one used for pattern matching in the
MOUNT parameter.
Example: -strip
Example: -fwd
local auth. by u1 or PAM <-- USER user1 + PASS pass1
outgoing to the server h2 <-- USER user2 + PASS pass2
Example:
As shown in the above example 1),
"-strip" is used to support a nested username and password
as USER "u1@u2@u3@h3@h2@h1" and PASS "p1@p2@p3".
It strips the first element before '@' in the USER and PASS to be used
for local authentication, strips the last element after '@' in USER as
the destination server, then forwards remaining string
to the destination server.
"-fwd" specifies to use the same USER and PASS both for the
local authentication and the authentication with a server.
If only authentication of user is necessary without authorization, the following special name will be useful as a authServList.
Example: