|
|
If the administrator of the client machine wants to enforce the use of a given authentication scheme or schemes for a particular service and machine, the /etc/iaf/serve.allow file must be administered. If the /etc/iaf/serve.allow file is not administered, any authentication scheme specified by the server machine is used; if no scheme is specified, the NULL scheme is assumed. Any scheme named in the /etc/iaf/serve.allow file thus serves to enforce the type of authentication specified.
The /etc/iaf/serve.allow file lists the names of the network services the client machine expects to use and the names of the authentication schemes acceptable to the client machine for use with each service. The system administrator is responsible for creating and maintaining the /etc/iaf/serve.allow file on the client machine. Each line in the file contains the name of a server machine, a network service name, and a comma-separated list of scheme names. The three fields are separated by white space.
#server name service name scheme name(s) # elvis banking cr1,other_scheme elvis uucico cr1
Sample /etc/iaf/serve.allow File
In the example, elvis is a server machine name, banking is a network service name, and cr1 is the name of authentication scheme acceptable to the client machine for the banking service on elvis. other_scheme could be any other secure authentication scheme (for example, kerberos). It must be registered with the banking service on the server machine for an application on the client machine to be able to access the service. If there is no entry in the /etc/iaf/serve.allow file for a network service, the client machine accepts any authentication scheme the server machine specifies for the service.
The system administrator maintains the /etc/iaf/serve.allow file using an editor such as vi.
Before name-to-address mapping is invoked, the connection server consults the /etc/iaf/serve.alias file, if it exists, to find out if the service requested by an application should be requested under another name. If the service name is found in the file, the connection server substitutes its alias for the name given by the application.
The administrator of a server machine may register a service under two names with two different authentication schemes to implement a gradual migration from one authentication scheme to another. For example, a server machine may register a new authentication scheme, newauth, with one of its network services, date. Not all client machines that use the server machine's date command have installed the newauth scheme. In this case the administrator of the server machine will add a ``date.old'' line to the service line in the appropriate port monitor administrative file and enter the old authentication scheme name, ns, in the ``scheme'' field. A client machine that wants to continue using the ns authentication scheme will add
#server name service name service name alias # elvis date date.oldto its /etc/iaf/serve.alias file.
In the example, the first field is the name of the server machine, elvis; the second field is the network service as it is known to the application. Field three is the network service's alias. The connection server will translate the application's request for the date command to a request for date.old and the ns authentication scheme will be used.
The /etc/iaf/serve.alias file is updated using one of the text editors, such as vi.