123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724 |
- .TH AUTHSRV 6
- .SH NAME
- authsrv, p9any, p9sk1, p9sk2 \- authentication protocols
- .SH DESCRIPTION
- This manual page describes
- the protocols used to authorize connections, confirm the identities
- of users and machines, and maintain the associated databases.
- The machine that provides these services is called the
- .I authentication server
- (AS).
- The AS may be a stand-alone machine or a general-use machine such as a CPU server.
- The network database
- .IR ndb (6)
- holds for each public machine, such as a CPU server or
- file server, the name of the authentication server that machine uses.
- .PP
- Each machine contains three values important to authentication; a 56-bit DES
- key, a 28-byte authentication ID, and a 48-byte authentication domain name.
- The ID is a user name and identifies who is currently responsible for the
- kernel running on that machine.
- The domain name identifies the machines across which the ID is valid.
- Together, the ID and domain name identify the owner of a key.
- .PP
- When a terminal boots,
- .IR factotum (4)
- prompts for user name and password.
- The user name becomes the terminal's authentication ID.
- The password is converted using
- .I passtokey
- (see
- .IR authsrv (2))
- into a 56-bit DES key and saved in memory.
- The authentication domain is set to the null string.
- If possible,
- .I factotum
- validates the key with the AS
- before saving it.
- For Internet machines the correct AS to ask is found using
- .IR dhcpd (8).
- .PP
- When a CPU or file server boots,
- .I factotum
- reads the key, ID, and domain name from
- non-volatile RAM.
- This allows servers to reboot without operator intervention.
- .PP
- The details of any authentication are mixed with the semantics
- of the particular service they are authenticating so we describe
- them one case at a time. The following definitions will be used
- in the descriptions:
- .TF nullx
- .TP
- .I Ks
- server's host ID's key
- .TP
- .I Kc
- client's host ID's key
- .TP
- .I Kn
- a nonce key created for a ticket
- .RB ( key )
- .TP
- .IR K { m }
- message
- .I m
- encrypted with key
- .I K
- .TP
- .I CHc
- an 8-byte random challenge from a client
- .RB ( chal )
- .TP
- .I CHs
- an 8-byte random challenge from a server
- .RB ( chal )
- .TP
- .I IDs
- server's ID
- .RB ( authid )
- .TP
- .I DN
- server's authentication domain name
- .RB ( authdom )
- .TP
- .I IDc
- client's ID
- .RB ( hostid ,
- .BR cuid )
- .TP
- .I IDr
- client's desired ID on server
- .RB ( uid ,
- .BR suid )
- .PD
- .PP
- The parenthesized names are the ones used in the
- .B Ticketreq
- and
- .B Ticket
- structures in
- .BR <authsrv.h> .
- .PP
- The message type constants
- .IR AuthTreq ,
- .IR AuthChal ,
- .IR AuthPass ,
- .IR AuthOK ,
- .IR AuthErr ,
- .IR AuthMod ,
- .IR AuthApop ,
- .IR AuthOKvar ,
- .IR AuthChap ,
- .IR AuthMSchap ,
- .IR AuthCram ,
- and
- .IR AuthVNC
- .RB ( type )
- are defined in
- .BR <authsrv.h> ,
- as are the encrypted message types
- .IR AuthTs ,
- .IR AuthAs ,
- .IR AuthAc ,
- .IR AuthTp ,
- and
- .IR AuthHr
- .RB ( num ).
- .SS "Ticket Service
- When a client and server wish to authenticate to each other,
- they do so using
- .I tickets
- issued by the AS.
- Obtaining tickets from the AS
- is the client's responsibility.
- .PP
- The protocol to obtain a ticket pair is:
- .TP
- .IR C \(-> A
- .IR AuthTreq ,
- .IR IDs ,
- .IR DN ,
- .IR CHs ,
- .IR IDc ,
- .IR IDr
- .sp -\n(PDu
- .TP
- .IR A \(-> C
- .IR AuthOK ,
- .IR Kc { AuthTc ,
- .IR CHs ,
- .IR IDc ,
- .IR IDr ,
- .IR Kn },
- .IR Ks { AuthTs ,
- .IR CHs ,
- .IR IDc ,
- .IR IDr ,
- .IR Kn }
- .PP
- The two tickets are identical except for their type fields
- and the keys with which they are encrypted.
- The client and server can each decrypt one of the tickets,
- establishing a shared secret
- .IR Kn .
- .PP
- The
- tickets can be viewed as a statement by the
- AS that
- ``a client possessing the
- .I Kn
- key is allowed to authenticate as
- .IR IDr .''
- .PP
- The presence of the server challenge
- .I CHs
- in the ticket allows the server to verify the freshness
- of the ticket pair.
- .PP
- The AS sets the
- .I IDr
- in the tickets to the requested
- .I IDr
- only if
- .I IDc
- is allowed to
- .I "speak for
- .RI ( q.v. )
- .IR IDr .
- If not,
- the AS sets
- .I IDr
- to the empty string.
- .PP
- If the users
- .I IDc
- or
- .I IDs
- do not exist,
- the AS silently generates one-time
- random keys to use in place of
- .I Kc
- or
- .IR Ks ,
- so that clients cannot probe the AS
- to learn whether a user name is valid.
- .SS "P9sk1
- The Plan 9 shared key protocol
- .I p9sk1
- allows a client and server to authenticate each other.
- The protocol is:
- .TP
- .IR C \(-> S
- .I CHc
- .br
- The client starts by sending a random challenge to the server.
- .TP
- .IR S \(-> C
- .IR AuthTreq ,
- .IR IDs ,
- .IR DN ,
- .IR CHs ,
- .IR \- ,
- .IR \-
- .br
- The server replies with a ticket request giving its
- id and authentication domain along with its own
- random challenge.
- .TP
- .IR C \(-> S
- .IR Ks { AuthTs ,
- .IR CHs ,
- .IR IDc ,
- .IR IDr ,
- .IR Kn },
- .IR Kn { AuthAc ,
- .IR CHs }
- .br
- The client adds
- .I IDc
- and
- .I IDr
- to the ticket request and obtains a ticket pair
- from the AS as described above.
- The client relays the server's ticket along with
- an
- .IR authenticator ,
- the
- .I AuthAc
- message.
- The authenticator proves to the server that the
- client knows
- .I Kn
- and is therefore allowed to authenticate as
- .IR IDr .
- (The inclusion of
- .IR CHs
- in the authenticator avoids replay attacks.)
- .TP
- .IR S \(-> C
- .IR Kn { AuthAs ,
- .IR CHc }
- .br
- The server replies with its own authenticator,
- proving to the client that it also knows
- .I Kn
- and therefore
- .I Ks .
- .PD
- .PP
- .I P9sk2
- is an older variant of
- .I p9sk1
- used only when connecting to pre-9P2000 remote
- execution services.
- It omits the first message and last
- messages and therefore does not
- authenticate the server to the client.
- .SS "P9any
- .I P9any
- is the standard Plan 9 authentication protocol.
- It consists of a negotiation to determine a common
- protocol, followed by the agreed-upon protocol.
- .PP
- The negotiation protocol is:
- .TP
- .IR S \(-> C
- .B v.2
- .IB proto@authdom
- .IB proto@authdom
- .I ...
- .sp -\n(PDu
- .TP
- .IR C \(-> S
- .I proto
- .I dom
- .sp -\n(PDu
- .TP
- .IR S \(-> C
- .B OK
- .PP
- Each message is a NUL-terminated UTF string.
- The server begins by sending a list of
- .IR proto ,
- .I authdom
- pairs it is willing to use.
- The client
- responds with its choice.
- Requiring the client to wait for the final
- .B OK
- ensures that the client will not start
- the chosen protocol until the server is ready.
- .PP
- The above is version 2 of the protocol.
- Version 1,
- no longer used,
- omitted the first message's
- .B v.2
- prefix
- and the
- .B OK
- message.
- .PP
- The
- .I p9any
- protocol is the protocol used by all
- Plan 9 services.
- The file server runs it over special
- authentication files
- (see
- .IR fauth (2)
- and
- .IR attach (5)).
- Other services, such as
- .IR cpu (1)
- and
- .IR exportfs (4),
- run
- .I p9any
- over the network and then
- use
- .I Kn
- to derive an
- .IR ssl (3)
- key to encrypt the rest of their communications.
- .SS "Password Change
- Users connect directly to the AS
- to change their passwords.
- The protocol is:
- .TP
- .IR C \(-> A
- .IR AuthPass ,
- .IR IDc ,
- .IR DN ,
- .IR CHc ,
- .IR IDc ,
- .IR IDc
- .br
- The client sends a password change ticket request.
- .TP
- .IR A \(-> C
- .IR Kc { AuthTp ,
- .IR CHc ,
- .IR IDc ,
- .IR IDc ,
- .IR Kn }
- .br
- The server responds with a ticket containing the key
- .I Kn
- encrypted with the client's key
- .IR Kc
- .TP
- .IR C \(-> A
- .IR Kn { AuthPass ,
- .IR old ,
- .IR new ,
- .IR changesecret ,
- .IR secret }
- .br
- The client decrypts the ticket using the old password
- and then sends back an encrypted password request
- .RB ( Passwordreq
- structure)
- containing the old password and the new password.
- If
- .I changesecret
- is set, the AS also changes
- the user's
- .IR secret ,
- the password used for non-Plan 9 authentications.
- .TP
- .IR A \(-> C
- .I AuthOK
- or
- .IR AuthErr ,
- 64-byte error message
- .br
- The AS responds with simply
- .I AuthOK
- or with
- .I AuthErr
- followed by a 64-byte error message.
- .SS "Authentication Database
- An
- .IR ndb (2)
- database file
- .B /lib/ndb/auth
- exists for the AS.
- This database maintains ``speaks for'' relationships, i.e.,
- it lists which users may speak for other users when
- authtenticating.
- The attribute types used by the AS are
- .B hostid
- and
- .BR uid .
- The value in the
- .B hostid
- is a client host's ID.
- The values in the
- .B uid
- pairs in the same entry list which users that host ID
- make speak for.
- A uid value of
- .B *
- means the host ID may speak for all users.
- A uid value of
- .BI ! user
- means the host ID may not speak for
- .IR user .
- For example:
- .PP
- .EX
- hostid=bootes
- uid=!sys uid=!adm uid=*
- .EE
- .PP
- is interpreted as
- .B bootes
- may speak for any user except
- .B sys
- and
- .BR adm .
- This property is used heavily on CPU servers.
- .SS "Foreign Protocols
- The AS accepts ticket request
- messages of types other than
- .I AuthTreq
- to allow users to
- authenticate using non-Plan 9 protocols.
- In these situations, the server communicates
- directly with the AS.
- Some protocols must begin without knowing the
- client's name. They ignore the client name in the
- ticket request.
- All the protocols end
- with the AS sending
- an
- .I AuthOK
- message containing a server ticket and authenticator.
- .PP
- .I AuthOK
- messages
- always have a fixed but context-dependent size.
- The occasional variable-length OK message starts with a
- .I AuthOKvar
- byte and a five-byte space-padded decimal length of the
- data that follows.
- .PP
- Anywhere an
- .I AuthOK
- message is expected, a
- .I AuthErr
- message may be substituted.
- .de Ok
- .sp -\n(PDu
- .TP
- .IR A \(-> S
- .IR AuthOK ,
- .IR Ks { \\$1 ,
- .IR IDs ,
- .IR DN ,
- .IR CHs ,
- .IR IDs ,
- .IR IDc ,
- .IR Kn },
- .IR Kn { AuthTs ,
- .IR CHs }
- ..
- .PP
- .TP
- .IR S \(-> A
- .IR AuthChal ,
- .IR IDs ,
- .IR DN ,
- .IR CHs ,
- .IR IDs ,
- .IR IDc
- .sp -\n(PDu
- .TP
- .IR A \(-> S
- .IR AuthOK ,
- .IR challenge
- .sp -\n(PDu
- .TP
- .IR S \(-> A
- .IR response
- .Ok AuthChal
- .IP
- This protocol allows the use of
- handheld authenticators such as SecureNet
- keys and SecureID tokens
- in programs such as
- .IR ssh (1)
- and
- .I ftpd
- (see
- .IR ipserv (8)).
- .IP
- .I Challenge
- and
- .I response
- are text strings,
- .SM NUL -padded
- to 16 bytes
- .RB ( NETCHLEN ).
- The
- .I challenge
- is a random five-digit decimal number.
- When using a SecureNet key or
- .IR netkey (1),
- the
- .I response
- is an eight-digit decimal or hexadecimal number
- that is an encryption of the challenge
- using the user's DES key.
- .IP
- When using a SecureID token,
- the challenge is ignored.
- The response is the user's PIN followed by
- the six-digit number currently displayed
- on the token.
- In this case, the AS
- queries an external RADIUS server
- to check the response.
- Use of a RADIUS server requires an entry in
- the authentication database. For example:
- .IP
- .EX
- radius=server-name secret=xyzzy
- uid=howard rid=trickey
- uid=sape rid=smullender
- .EE
- .IP
- In this example, the secret
- .B xyzzy
- is the hash key used in talking to the RADIUS server.
- The
- .BR uid / rid
- lines map from Plan 9 user ids to RADIUS ids.
- Users not listed are assumed to have the
- same id in both places.
- .TP
- .IR S \(-> A
- AuthApop ,
- .IR IDs ,
- .IR DN ,
- .IR CHs ,
- .IR \- ,
- .IR \-
- .sp -\n(PDu
- .TP
- .IR A \(-> S
- .IR AuthOKvar ,
- .IR challenge
- .sp -\n(PDu
- .TP
- .IR S \(-> A
- AuthApop ,
- .IR IDs ,
- .IR DN ,
- .IR CHs ,
- .IR IDc ,
- .IR IDc ;
- hexadecimal MD5 checksum
- .Ok AuthApop
- .IP
- This protocol implements APOP authentication
- (see
- .IR pop3 (8)).
- After receiving a ticket request of type
- .IR AuthApop ,
- the AS generates a random challenge
- of the form
- .BI < random @ domain >\fR.
- The client then replies with a new ticket request
- giving the user name
- followed by the MD5 checksum of
- the challenge concatenated with the user's secret.
- If the response is correct, the authentication
- server sends back a ticket
- and authenticator.
- If the response is incorrect, the client may repeat the
- ticket request/MD5 checksum message to try again.
- .IP
- The
- .I AuthCram
- protocol runs identically to the
- .I AuthApop
- protocol, except that the expected MD5 checksum
- is the keyed MD5 hash using the user's secret as the key
- (see
- .I hmac_md5
- in
- .IR sechash (2)).
- .TP
- .IR S \(-> A
- .IR AuthChap ,
- .IR IDs ,
- .IR DN ,
- .IR CHs ,
- .IR \- ,
- .IR \-
- .sp -\n(PDu
- .TP
- .IR A \(-> S
- .I challenge
- .sp -\n(PDu
- .TP
- .IR S \(-> A
- .IR pktid ,
- .IR IDc ,
- .IR response
- .Ok AuthChap
- .IP
- This protocol implements CHAP authentication
- (see
- .IR ppp (8)).
- The
- .I challenge
- is eight random bytes.
- The response is a 16-byte MD5 checksum
- over the packet id, user's secret, and challenge.
- The reply packet is defined as
- .B OChapreply
- in
- .BR <authsrv.h> .
- .TP
- .IR S \(-> A
- .IR AuthMSchap ,
- .IR IDs ,
- .IR DN ,
- .IR CHs ,
- .IR \- ,
- .IR \-
- .sp -\n(PDu
- .TP
- .IR A \(-> S
- .I challenge
- .sp -\n(PDu
- .TP
- .IR S \(-> A
- .IR IDc ,
- .IR lm-response ,
- .IR nt-response
- .Ok AuthMschap
- .IP
- This protocol implements Microsoft's MS-CHAP
- authentication
- (see
- .IR ppp (8)).
- The
- .I challenge
- is eight random bytes.
- The two responses are Microsofts LM and NT hashes.
- Only the NT hash may be used to authenticate,
- as the LM hash is considered too weak.
- The reply packet is defined as
- .B OMSchapreply
- in
- .BR <authsrv.h> .
- .TP
- .IR S \(-> A
- .IR AuthVNC ,
- .IR IDs ,
- .IR DN ,
- .IR CHs ,
- .IR IDs ,
- .IR IDc
- .sp -\n(PDu
- .TP
- .IR A \(-> S
- .IR AuthOKvar ,
- .I challenge
- .sp -\n(PDu
- .TP
- .IR S \(-> A
- .I response
- .Ok
- .IP
- This protocol implements VNC authentication
- (see
- .I vncs
- in
- .IR vnc (1)).
- The challenge is 16 random bytes, and the response
- is a DES ECB encryption of the challenge.
- The method by which VNC converts the user's
- secret into a DES key is weak,
- considering only the first eight bytes of the secret.
- .PD
- .SH FILES
- .TF /lib/ndb/auth.*xxx
- .TP
- .B /lib/ndb/auth
- database file
- .TP
- .B /lib/ndb/auth.*
- hash files for
- .B /lib/ndb/auth
- .SH SEE ALSO
- .IR auth (2),
- .IR fauth (2),
- .IR cons (3),
- .IR attach (5),
- .IR auth (8)
|