OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

381

382

383

384

385

386

387

388

389

390

Creating and Maintaining Principals, Groups, and Organizations

30.6.1.1 Managing User Authentication

You manage preauthentication for a given principal by attaching an instance of the

pre_auth_req ERA to the principal and specifying a value to indicate the lowest level

protocol the DCE Security Service should accept for the principal, as follows:

0 (NONE) Speciﬁes that the DCE Security Service should accept, from this

principal, login requests using any of the three protocols (including the pre-DCE

Version 1.1 protocol.) This is the least secure level and is provided only in order

to enable DCE Version 1.1 servers to accept login requests from pre-DCE

Version 1.1 clients. It is most vulnerable to the type of attack previously

described.

Warning: Failing to attach an instance of the pre_auth_req ERA to

a principal is equivalent to specifying 0 (NONE).

1 (PADATA-ENC-TIMESTAMPS) Speciﬁes that the DCE Security Service

should accept, from this principal, login requests using either the timestamp or

third-party protocol. The timestamp protocol protects against attackers

masquerading as a security client and attacking replies from the DCE

Authentication Service, but is still vulnerable to attacks by processes capable of

monitoring the network.

2 (PADATA-ENC-THIRD-PARTY) Speciﬁes that the only login requests the

DCE Security Service will accept from this principal are those using the third-

party protocol. This is the highest level of DCE preauthentication and provides

the most protection against the attacks previously described. With third-party

preauthentication, all authentication data sent over the network is encrypted

with a ‘‘strong’’ random key known only to the local machine principal and the

DCE Security Service.

When the authentication service receives a login request for a principal, it always

attempts to respond using the same protocol as the request, unless the pre_auth_req

ERA value for that principal ‘‘forbids’’ it to do so. Table 30-2 provides a matrix

describing the actions taken by the authentication service under the various

combinations of login (authentication) request type and pre_auth_req ERA value.

For complete information on the details of DCE authentication (including the operation

of the preauthentication protocols), see the .

The following is an example of a dcecp command to create a principal and attach a

pre_auth_req ERA specifying third-party preauthentication:

dcecp> principal create smitty -attribute {pre_auth_req 2}

For further information on how to use dcecp to attach ERAs to principals, see Chapter

32.

124243 Tandem Computers Incorporated 30−9