Authentication scheme based on digested password, specific to each
application protocol, is enabled with "AUTHORIZER=-dgauth".
This kind of authentication scheme,
at least APOP proxy or HTTP Digest/Basic gateway does,
requires the original cleartext of password.
A simple way to do so is giving directly a list of pairs of username
and password as
-dgauth{user1:pass1,user2:pass2,...}.
Another way is storing passwords by DeleGate with
"-Fauth -a username:password -dgauth".
Since passwords for -dgauth is stored in encrypted form, a keyword is
required for the encryption.
Specify the keyword as CRYPT=pass:keyword
or answer it interactively afterwards.
Otherwise, DGAuth can be delegated to a remote
DGAuth server.
DGAuth generates a session identifier which is retained identically
during the session started by an authentication,
then passed to CFI/CGI programs in environment variable "X_DIGEST_SESSION"
and can be logged into PROTOLOG.
Example:
// a HTTP proxy or server with the Digest authentication with clients. SERVER=http AUTHORIZER=-dgauth
// a POP proxy which uses APOP authentication with clients. SERVER=pop MOUNT="* pop://server/*" AUTHORIZER=-dgauth
PAM: -pam[/service]
On platforms where PAM (Pluggable Authentication Modules) is available,
it can be used for authentication with the syntax
AUTHORIZER="-pam/service",
for example as AUTHORIZER="-pam/passwd", AUTHORIZER="-pam/ftp" and so on.
Note that most of PAM authentications need to be executed under the
privilege of superuser on Unix (with OWNER="root" option).
But you can avoid running your DeleGate with superuser privilege by
installing external program "dgpam" under DGROOT/subin/.
Also PAM authentication can be delegated to a remote
PAM server.
LIST: -list{user[:pass],...}
An element of the list can be user only without ":pass"
which means matching user name only and don't care the password.
In the "-list{user:pass,...}", substitution by
"[date+format]"
can be used in user and pass.
For example, AUTHORIZER="-list{guest:[date+%y%m]}" means accepting
usrename "guest" with password "0405" in May 2004.
Example:
AUTHORIZER="-list{u1:p1,u2:p2}(local),-pam,-none(anonymous)"
// a user may be authenticated as "local" or as some user name in PAM,
// or "anonymous" otherwise
Do the authentication with an external command cmd.
Values to be used the authentication to be passed to the command is
specified with the format as "%format"
like %U for username and %P for password.
A parameter can be passed in command-line argument,
in environment variable or in the standard input of the command.
If the environment and input-pattern is omitted as
AUTHORIZER="-cmd{cmd},
the pair of user name and password is passed by default
as if implicitly specified as
AUTHORIZER="-cmd{cmd}{DG_USER=%U DG_PASS=%P}{USER %U\nPASS %P\n}".
The result of the authentication by the command is shown in its output string
or by its exit code.
The command may puts a string to its standard output to show the result
in the form of a status response of the FTP protocol, that is,
"230" for success and "530" for failure.
Otherwise the exit code of the process is used, the value zero for success
and non-zero values for failure.
Example: passing username in argument while password in environment variable