Body
Text Authent
With Text Authent authentication module, users are authenticated based on their name and a corresponding password. Unlike the Single Password module, each user may have his or her own password, and users can belong to any number of groups. Although this method could also be used for admin authentication, the only point would be in order to re-use group and password info that was already entered for client authentication – there is no additional functionality beyond what is already available from the Admin Access window.
All of the names, passwords, and groups are stored as clear text in a file named “authent.txt” in the KeyServer Data Folder. Use any text editor direct access to the authent.txt file on the TDX ITAM Server machine to enter and edit the authent.txt file. It may be convenient to use an editor that can make the tab and return characters visible. Make sure you save the file as text.
You can modify the authent.txt file at any time, even when the KeyServer process is running, and any changes automatically take affect within ten minutes. If you want the changes to take affect sooner, choose the Client Authentication option from KeyConfigure's Config Menu, and click OK.
Each line in the authent.txt file is of the following form:
user name tab password tab group1, group2, group3, ...
The user name, password, and individual group names can contain spaces, but cannot contain tab characters or any of the reserved characters:
* ! @ # , ; { }
Only the first eight letters of the password are used, the rest are ignored. The list of groups (which may be empty) specifies which groups the user belongs to.
The character “*” has a special meaning when it appears alone in the name or password field. If the password for a user is simply “*”, the user may type any password, and will be authenticated (of course the user must type the exact name). This can be useful if you want to have an account for a user named “guest” that does not require a password.
If a user types a name that is not recognized, then the Text Authent module searches for an entry with “*” for the user name. The corresponding password is then used for this unknown user. Note that only one “*” user should be in the authent.txt file. If there is more than one, then the first one is used. The “*” user is useful if you want to give access to unknown users (users with any name and any password), or if you want to mimic the Single Password authentication module. You can also allow any user access to the TDX ITAM Server by including the entry:
* *
This effectively says “an unknown user may type any password.” You can then restrict these unknown users by excluding them from all groups (i.e., don't type any group names after the “* *” entry). Note that if you do not specify any groups, then a “* *” entry is equivalent to allowing guest access. However, if you do specify one or more groups, it is different - it gives you membership in all groups simply because of your name and password.
The “*” also has a special meaning when it appears in the group list. Any user who belongs to the “*” group belongs to all groups. Thus, the user
root leaves *
belongs to all groups, and therefore all policies will apply, however the scope is defined. It is not necessary to list any other groups when the “*” group is listed. However, you may wish to explicitly exclude the user from one or more groups. To do this, list each group with an exclamation point (“!”) preceding it, and then list the “*” group last. For example,
John Doe s2Cr5t !keysentry, !admin, *
specifies that the user named John Doe belongs to all groups except the keysentry group and the admin group. The “*” group must be the last group listed.
Be careful when you use the “*” in the name, password or group fields. You can actually turn authentication off (mimic the Disabled module) with the following entry:
* * *
This entry tells the Text Authent module that an unknown user who types any password is in all groups. In fact, this is even worse than Disabled, because any user gets membership to all groups. This essentially overrides the group definitions for location and computer - they are rendered useless because any user can get membership in any group.
Text that is ignored or commented begins with a ";", and continues to the first return character. Make sure you type a return to end every line of your authent.txt file; automatic word-wrap does not suffice as an end marker for comments, and does not separate users.
Below is a summary of the format and rules of the authent.txt file:
- Lines contain a user name, password, and optional group list. These three components are separated by the tab character.
- Each distinct user name can only appear on a single line.
- Users must spell their names correctly, as they appear in the authent.txt file. Upper and lower case do not matter.
- User must type their password exactly as they appear in the authent.txt file. Upper and lower case do matter.
- Group names are listed optionally. Group names are separated by commas.
- User names, passwords, and group names cannot contain tab characters or any of the reserved characters: * ! @ # , ; { }
- The “*” character has special meaning in the user name, password and groups.
- The exclamation point (“!”) excludes a user from a group.
- Comments begin with “;” and end at the following return character.
The Text Authent module will not Assign Divisions automatically.