XYGATE User Authentication Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

301

302

303

304

305

306

307

308

309

310

XYGATE

User Authentication

™

Reference Manual

Appendix B: The UAACL File

XYPRO Technology Corporation 275 Proprietary and Confidential

B37: PASSWORD_REQUIRED

The PASSWORD_REQUIRED keyword controls the need for a Guardian password on

the userid. When PASSWORD_REQUIRED is set to ON, a password is needed to

logon to the target userid. When PASSWORD_REQUIRED is set to OFF, the users in

the FROM_USER list can logon to users in the TO_USER list without supplying the

target user’s password.

If present in a UAGroup, this keyword’s value overrides the one in the UACONF file.

If this keyword is omitted, the value in the UACONF file is used.

Syntax:

PASSWORD_REQUIRED {ON | OFF}

Example 1 below will allow members of the ACLGROUP $SECURITY to logon as

SUPER.SUPER without supplying a password.

Example 1: How to allow users to logon to specified IDs without a password

UAGROUP Security-To-Super-Password-Not-Required

DESCRIPTION "Security Need not supply password for SUPER.SUPER"

FROM_USER $SECURITY

TO_USER SUPER.SUPER

PASSWORD_REQUIRED OFF

The PASSWORD_REQUIRED keyword may be beneficial for the cases when the “log

down” capability is required. For example, the log down must to be allowed in order to

use the public-key authentication or a single sign-on schema to the NonStop server for

the Safeguard aliases. In Safeguard, allowing such log down capability requires the

PASSWORD-REQUIRED to be set to OFF for a global level, affecting all users on the

system, which imposes a security risk and is not recommended. With XUA, such

configuration can only be implemented for those programs requiring the log down or

groups of users with special circumstances.

In Example 2 below, the UAGROUP configuration will assure that only the users who

are attempting an SSH connection will be exempt from entering passwords, as they

are being public-key authenticated.

Example 2: How to allow SSH Authentication rather than a password

UAGROUP XYGATESH-LOGDOWN-ALLOWED

DESCRIPTION "Users authenticated by public key do not need password"

FROM_USER $EVERYONE

TO_USER SEVERYONE

REQUESTOR /USR/LOCAL/SBIN/SSHD

PASSWORD_REQUIRED OFF