| home | updates | download | manual | documents | feedback | search | ITS more |
|
There are built-in auth-servers to be used as authServ as follows:
- -none
-- allow without caring if authentication is given or not
- -never -- disallow without careing if authentication is given or not
- -any -- any combination of username + password is acceptable
- -anonftp -- username is "ftp" or "anonymous" and password includes "@"
- -dgauth[.realm] -- password is sent safely as a digest (HTTP and APOP)
- -pam/service -- username + password is checked by PAM
- -list{user:pass,...} -- the pair of username and password is in the list
- -userpass/user/pass -- equivalent to -list{user:pass}
- -hostlist/ListName -- client's host is in the HOSTLIST=ListName:HostList
- -fail.badpass -- disallow if the username exists but password is wrong
- -fail.nopass -- disallow if password is not given or empty
- -cmd{cmd arg ...}{ENV=val ...} -- external command for authentication
- -ntht -- NTLM over HTTP (Win32 only)
- -login -- logon to the local host (Win32 only)
- -man -- manual authentication on demand
- -never -- disallow without careing if authentication is given or not
- DGAuth: -dgauth[.realm][{user:pass,...}]
- Authentication scheme based on digested password, specific to each
application protocol, is enabled with "AUTHORIZER=-dgauth".
This kind of authentication scheme,
at least APOP proxy or HTTP Digest/Basic gateway does,
requires the original cleartext of password.
A simple way to do so is giving directly a list of pairs of username
and password as
-dgauth{user1:pass1,user2:pass2,...}.
Another way is storing passwords by DeleGate with
"-Fauth -a username:password -dgauth".
Since passwords for -dgauth is stored in encrypted form, a keyword is
required for the encryption.
Specify the keyword as CRYPT=pass:keyword
or answer it interactively afterwards.
Otherwise, DGAuth can be delegated to a remote
DGAuth server.
DGAuth generates a session identifier which is retained identically
during the session started by an authentication,
then passed to CFI/CGI programs in environment variable "X_DIGEST_SESSION"
and can be logged into PROTOLOG.
Example:
-
// a HTTP proxy or server with the Digest authentication with clients.
SERVER=http AUTHORIZER=-dgauth
// a POP proxy which uses APOP authentication with clients.
SERVER=pop MOUNT="* pop://server/*" AUTHORIZER=-dgauth
- PAM: -pam[/service]
- On platforms where PAM (Pluggable Authentication Modules) is available,
it can be used for authentication with the syntax
AUTHORIZER="-pam/service",
for example as AUTHORIZER="-pam/passwd", AUTHORIZER="-pam/ftp" and so on.
Note that most of PAM authentications need to be executed under the privilege of superuser on Unix (with OWNER="root" option). But you can avoid running your DeleGate with superuser privilege by installing external program "dgpam" under DGROOT/subin/. Also PAM authentication can be delegated to a remote PAM server. - LIST: -list{user[:pass],...}
- An element of the list can be user only without ":pass"
which means matching user name only and don't care the password.
In the "-list{user:pass,...}", substitution by
"[date+format]"
can be used in user and pass.
For example, AUTHORIZER="-list{guest:[date+%y%m]}" means accepting
usrename "guest" with password "0405" in May 2004.
Example:
-
AUTHORIZER="-list{u1:p1,u2:p2}(local),-pam,-none(anonymous)"
// a user may be authenticated as "local" or as some user name in PAM,
// or "anonymous" otherwise
- CMD: -cmd{cmd arg ...}[{ENV=val ...}[{input-pattern}]]
-
Do the authentication with an external command cmd.
Values to be used the authentication to be passed to the command is
specified with the format as "%format"
like %U for username and %P for password.
A parameter can be passed in command-line argument,
in environment variable or in the standard input of the command.
If the environment and input-pattern is omitted as
AUTHORIZER="-cmd{cmd} , the pair of user name and password is passed by default as if implicitly specified asAUTHORIZER="-cmd{cmd}{DG_USER=%U DG_PASS=%P}{USER %U\nPASS %P\n}". The result of the authentication by the command is shown in its output string or by its exit code. The command may puts a string to its standard output to show the result in the form of a status response of the FTP protocol, that is, "230" for success and "530" for failure. Otherwise the exit code of the process is used, the value zero for success and non-zero values for failure.
Example: passing username in argument while password in environment variable
-
AUTHORIZER="-cmd{myauth %U}{MYPASS=%P}"
[the content of the myauth command]
#!/bin/sh
if [ "$1" = "user1" -a "$MYPASS" = "pass1" ]; then
echo "230 SUCCESS"
else
echo "530 FAILURE"
fi