Eagle user authentication is based on the presence or absence of the Gateway User Database file /usr/adm/sg/gwpasswd. If this file does not exist, no user authentication is attempted. The Gateway User Database file contains usernames and encrypted passwords. In the presence of the Gateway User Database, anyone who wants to get into or out of the protected network must first identify himself and provide a password, with the exception of authorization rules containing the noauth flag. Gwcontrol checks this information by searching the Gateway User Database. If the name and password are verified the connection is allowed; otherwise access is denied. Either way the user name is logged.
With user authentication enabled, the Gateway responds to attempts to use
telnet or ftp by first checking the authorization file for
a rule matching the hosts involved. If a rule exists and the noauth flag is present, the
connection proceeds normally. (Of course, if there is no matching
rule, no connection is permitted.) Lacking the noauth flag (in the
applicable rule),
a valid Gateway username and password is required before
the connection is permitted. Also, access can be limited
to a specified set of groups and users with the user or group service limit in the authorization rule. See Section
for more details.
The Gateway User Database information is stored in /usr/adm/sg/gwpasswd. This file has a very flexible structure for each line. Each line, or account entry, has five fields separated by colons (:). If an account entry is missing a field, that account is ignored. Each entry in the /usr/adm/sg/gwpasswd file has these fields:
An example gateway user entry follows:
sandi:BhNqayKxwq2r:20:100:Sandi Tennyson
Every gateway user must have an individual account: if users are permitted to share accounts, the accountability, the ability to determine who did what, is lost. The account entry provides the user identification information when the user wants into or out of the protected network.
Each gateway user entry requires an encrypted password. Eagle encrypts passwords using a specially enhanced version of the Data Encryption Standard (DES), vastly more secure than the standard UNIX system password encryption. Passwords are set and/or changed with the /usr/adm/sg/gwpassword program, which must be run by the super-user on the G Box console. (Individual users cannot change their Gateway password.) Follow gwpassword with a username. gwpassword prompts for the new password. The password is not displayed to prevent others from viewing it. It is requested twice to verify it was entered correctly. The example below shows the normally invisible password exchange.
%gwpassword sandi
Changing password for sandi.
New password: doggie16
Retype new password: doggie16
If the two passwords you type don't match, the password remains unchanged. New passwords should be at least five characters long, if they combine upper-case and lower-case letters, or at least six characters long if in monocase.