Few details about C2

From: Martin Mokrejs <mmokrejs_at_prfdec.natur.cuni.cz>
Date: Sun, 20 Jul 1997 17:52:02 +0200 (MET DST)

Hello,
 I read the archive of the list, I have also DU 4.0B and C2 installed.
I'm sending a copy to this list because I found a lot of mails concerned
about C2 and vouching.... But originally it's directed to
dbowman_at_sph.jhu.edu - because of his troubles with C2.


Compare your and these matrix.files:
correct place is /etc/sia/matrix.conf

-------------------------
For BASE security:


# _at_(#)$RCSfile: bsd_matrix.conf,v $ $Revision: 1.1.3.4 $ (DEC) $Date:
1992/05/04 10:21:22 $
#

# sia matrix configuration file (BSD only)

siad_init=(BSD,libc.so)
siad_chk_invoker=(BSD,libc.so)
siad_ses_init=(BSD,libc.so)
siad_ses_authent=(BSD,libc.so)
siad_ses_estab=(BSD,libc.so)
siad_ses_launch=(BSD,libc.so)
siad_ses_suauthent=(BSD,libc.so)
siad_ses_reauthent=(BSD,libc.so)
siad_chg_finger=(BSD,libc.so)
siad_chg_password=(BSD,libc.so)
siad_chg_shell=(BSD,libc.so)
siad_getpwent=(BSD,libc.so)
siad_getpwuid=(BSD,libc.so)
siad_getpwnam=(BSD,libc.so)
siad_setpwent=(BSD,libc.so)
siad_endpwent=(BSD,libc.so)
siad_getgrent=(BSD,libc.so)
siad_getgrgid=(BSD,libc.so)
siad_getgrnam=(BSD,libc.so)
siad_setgrent=(BSD,libc.so)
siad_endgrent=(BSD,libc.so)
siad_ses_release=(BSD,libc.so)
siad_chk_user=(BSD,libc.so)


------------------------------
Another one - for C2 is:
# _at_(#)$RCSfile: OSFC2_matrix.conf,v $ $Revision: 1.1.9.2 $ (DEC) $Date:
1996/02/09 19:08:40 $
#

siad_init=(BSD,libc.so)
siad_chk_invoker=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_init=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_authent=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_estab=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_launch=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_suauthent=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_reauthent=(OSFC2,/usr/shlib/libsecurity.so)
siad_chg_finger=(OSFC2,/usr/shlib/libsecurity.so)
siad_chg_password=(OSFC2,/usr/shlib/libsecurity.so)
siad_chg_shell=(OSFC2,/usr/shlib/libsecurity.so)
siad_getpwent=(BSD,libc.so)
siad_getpwuid=(BSD,libc.so)
siad_getpwnam=(BSD,libc.so)
siad_setpwent=(BSD,libc.so)
siad_endpwent=(BSD,libc.so)
siad_getgrent=(BSD,libc.so)
siad_getgrgid=(BSD,libc.so)
siad_getgrnam=(BSD,libc.so)
siad_setgrent=(BSD,libc.so)
siad_endgrent=(BSD,libc.so)
siad_ses_release=(OSFC2,/usr/shlib/libsecurity.so)
siad_chk_user=(OSFC2,/usr/shlib/libsecurity.so)

--------------------------------------

What is written during boot when running AdvFSd, mounting filestems - why
they are readonly? Is there any message? Check scripts in /sbin/rcx.d.


I can include some part of my mail with somebody, who was helping me with
C2 problems when installing Kerberos IV.

Martin
mmokrejs_at_natur.cuni.cz


*******************************************************************
Study manuals about rcmgr and it's SECURITY variable.

prfdec# rcmgr get SECURITY
ENHANCED
prfdec#

Yes, the documentation is sparse, but it basically explains what you
have to do. More extensive documentation should have come with the
operating system, either in `book' format or if you use Digital UNIX
4.0, in HTML. If you can't find that, you can look at
http://www.pdc.kth.se/doc/osf/osf40/HTML/AA-Q0R2D-TET1_html/TOC.html,
chapters 13, 20, and 21.

In short, what the matrix.conf file says it which libraries to use
when doing certain operations, such as verifying users paswords. These
libraries can be `stacked', so you can have more than one. They are
tried in the order listed in matrix.conf. So a line like

siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)

means that it should first try to use the `authenticate' routine in
the kerberos library, and if that fails use the one in libc (which
will try your normal /etc/passwd password).

> < siad_chk_invoker=(OSFC2,/usr/shlib/libsecurity.so)

Ah, you are using C2-security. I have not tested this and I can not
guarantee that the kerberos module works with C2. You can try to take
the C2-matrix.conf and prepend the KRB4-entries to it and see what
happens. Something like this:

siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecur
ity.so)

You will have to turn on `vouching' in /etc/auth/system/default for
the users that should be able to login without specifying their
C2-password. See the default(4) manpage, and the description of
`d_accept_alternate_vouching'.

Note that if you do this, you will most likely get a system that is
not C2 (since C2 systems needs to be verified as such). If you use C2
because you think it's better than normal passwd-security, this
shouldn't matter. If you have to use it because someone told you to,
you're out of luck.

> 9. When I login as a root from the console with xdm - not using
> kerberoses login, get an xterm, klist:

Digital's xdm (the one with be big Digital logo) and dtlogin (for CDE)
are sia-aware, but the standard X11-xdm that is also shipped is, alas,
not. One problem with this, which is mentioned in the SIA README, is
that xdm removes the environment completely after the user is
authenticated. This makes it impossible to pass information about
which ticket-file to use from the SIA module to your shell. To fix
this you have to do the changes mentioned in the README to your
Xsession file.


When you need to tell SIA(C2), that other program autenticates the user,
for example that kerberoses telnetd did the autentication, this telnetd
passes the -f flag to the login program(so it doesn't ask for a password).

Also you have to do:

/usr/tcb/bin/edauth -dd default

and then just include an :d_accept_alternate_vouching: capability. You
should be able to set this flag for each user as well, if you
wish. You have to turn this capability on, because otherwise the C2
module will not accept the result from other modules as valid (it will
insist on doing authenticaion itself).

# edauth -g -dd default
default:\
        
:d_name=default:d_pw_expire_warning#3456000:d_pw_site_callout=/tcb/bin/pwpolicy:
d_boot_authenticate_at_:\
        :d_secclass=c2:\
        :d_accept_alternate_vouching:\
        
:u_pwd=*:u_cmdpriv=boot,ping,printerstat,tape:u_syspriv=execsuid,chmodsugid:\
        :u_basepriv=execsuid,chmodsugid:\
        :u_minchg#0:u_minlen#6:u_maxlen#10:u_exp#0:\
        :u_life#31449600:u_pickpw:u_genpwd:u_restrict_at_:\
        :u_nullpw_at_:u_pwdepth#5:u_genchars:u_genletters:\
        :u_maxtries#5:u_lock:\
        :t_maxtries#10:t_logdelay#2:\
        :\
        
::d_audit_enable_at_:u_auditcntl#0:u_auditdisp=:u_unlockint#86400:t_unlockint#86400
::chkent:


> Originally there was :d_accept_alternate_vouching_at_:, which means disabled.
> It can be changed by X-window utility called dxaccounts. After checking
> the appropriate box the '_at_' disappeared.....

This is correct.
Received on Sun Jul 20 1997 - 18:05:50 NZST

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:36 NZDT