The Realm Configuration File
The realm configuration file is maintained by the I2A2 administrator. Realms are created by inclusion in the configuration file, and their characteristics are set or changed by editing it. Configuration file changes take effect immediately.
Configuration File Syntax
- The syntax of the configuration file is based on keywords (or keyword pairs) and their associated values (tokens). Keywords and tokens must be set off by at least one space, tab or newline; white space is otherwise ignored.
- Comments are set off by pairs of braces ({})
General Keywords
-
REALM/REALM_END: A realm file may define multiple realms. Each realm definition within a configuration file is
enclosed within this keyword pair.
-
NAME: This is the human-readable name of the realm that is passed to authcnetd.
-
ID: This is the realm's numeric ID, which is mostly used internally.
-
SADMIN: The PUID of the realm's super-administrator. Each realm must have a super-administrator,
who is all-powerful within the realm.
-
ACL/ACL_END: Realm sub-administrators are created by listing them in access control list (ACL) entries. The
ACL entries within a realm must be enclosed within this keyword pair.
-
ACL_ENTRY: a single ACL entry for a realm sub-administrator follows the ACL_ENTRY keyword. The entry gives the
PUID of the sub-administrator, his permission mask, the PUID of the creator, and the time of creation
(MM.DD.YYYY.HH.MM.SS). (The latter two values are somewhat arbitrary and currently unused.) The permission mask is given
by mnemonic letters:
- r -- read
- w -- write
- j -- join,unjoin
- m -- modify real member ACLs (create, delete, modify)
- a -- all permissions (equivalent to the super-administrator)
Authentication policy keywords - Different realms may desire different authentication policies to implement their security policies. These policies are controlled by the following keywords:
-
BADAUTH_MAX - the number of consecutive bad authentication attempts before an action given by
BADAUTH_ACTION is triggered.
-
BADAUTH_ACTION - the action to take when BADAUTH_MAX is exceeded. One of:
- NONE - The default policy if none is specified.
- LOG - Log a security event that may be noted by an external procedure.
- FREEZE - Return a NAK even if the password hash matches.
-
TEMPFREEZE - Like FREEZE, but with the possibility of thawing the account if the password hash matches and
BADAUTH_BACKON seconds have elapsed
-
BADAUTH_BACKON - elapsed time in seconds before considering thawing an account when the TEMPFREEZE policy is in
place. This parameter has no meaning unless TEMPFREEZE is also specified.
-
AUTH_THROTTLE - Minimum delay in milliseconds between authentication attempts. This throttles the number of
authentication attempts per second per authcnetd connection. E.g., if it's set to 500, an artificial 0.5 second delay
is introduced into each reply to an authentication request, and no more than 2 attempts per second could be made
through a single authcnetd connection. N.B.: attackers may make an arbitrarily large number of authcnetd connections,
limited only by overall system resources.
Encryption type keywords The ETYPE keyword specifies the encryption to use for converting
clear text passwords into password hashes to store in the DBM. The supported types and their definitions are given in
puid_etypes.h and described
here.
Trust relationship keywords Realms may choose to
trust authentication credentials from other realms. The
TRUSTED and TRUSTED_END keyword pair bounds a list of realm names that the current realm wishes to trust. For
example:
trusted
purdue boiler
trusted_end
indicates that the realm currently being defined desires to trust the "purdue" and "boiler" realms.
A sample realm configuration file