useraud(1) - Linux man page

Name

useraud - User authentication daemon

Synopsis

useraud [<options>] [<configfile>]

Description

The program runs as a daemon. It listens on a UNIX domain socket for incoming connections form useraudi processes (started by inetd/xinetd) and processes the requests.

Options

-d

enables debug mode (runs the program in foreground and writes debug information).

Return Value

The program is a standing daemon and does not return a value.

Configuration File

GENERAL FILE STRUCTURE

The configuration file consists of one ''options'' section and one or multiple ''backend'' sections.

OPTIONS SECTION

The options section is introduced by ''[options]'' standing alone in a line. The lines in the section contain key/value pairs, key and value are separated by ''=''. The following keys can be used:

run as user = username

chooses a user account used to run the useraud daemon. This entry is optional. On some systems for some backends useraud must run as ''root'' to have access to the encrypted passwords.

run as group = groupname

specifies a group used to run the useraud daemon. This entry is optional. The user account used to run the HTTP daemon should be a member of this group if you plan to use useraud with web applications.

socket = path

sets the file name of the UNIX domain socket for communication between useraudi and useraud. I recommend to use a path below the ''/var/run'' directory.

database =type:path

sets the database type and the file name for the database. The type can be one of ''bdb'' (Berkeley DB ), ''gdbm'' (Gnu database manager) or ''ndbm'' ( NDBM on some commercial UNIX systems). Make sure you have compiled the dktools project with support for the database type you choose.

cleanup interval = seconds

specifies the minimum amount of time (default: 2 days) between automatic database cleanups.

hash type = list

contains a comma-separated list of hash types useraud is allowed to use. The list may contain ''crypt'', ''md5'', ''ripemd-160'', ''sha-1'', ''sha-224'', ''sha-256'', ''sha-384'', and ''sha-512''.

You should allow at least one of the SHA- ... algorithms and the algorithm used by the user database backend to hash passwords.

report no such user = boolean

decides which response to send for non-existing user names: either ''no such user'' for ''yes'' or a faked challenge or ''wrong password'' response for ''no''.

local user name test = boolean

controls whether or not local applications connecting over a UNIX domain socket are allowed to verify user names using the 110 or 111 request.

net user name test = boolean

controls whether or not remote applications connecting over a network socket to useraudi are allowed to verify user names using the 110 or 111 request. Make sure to use a TCP wrapper (i.e. tcpd) to restrict the remote computers able to connect to useraudi.

cookie ttl = seconds

sets the maximum lifetime of a cookie.

cookie size = bytes

sets the cookie length in characters.

random seed file = path

specifies the file name to store the PRNG seed. Access to this file must be restricted, only the user account running useraud must have access to this file.

log file = path

sets the name of the log file.

log file level = string

sets the minimum priority level required to log a message to the log file, may be one of ''debug'', ''progress'', ''info'', ''notice'', ''warning'', ''error'', or ''fatal''.

syslog level = string

sets the minimum priority level required to log a message to the syslog system.

BACKEND SECTION

A backend section is introduced by ''[backend type]'' standing alone in a line. At this time there is only support for the ''system'' backend type.

The lines in the section contain key/value pairs, key and value are separated by ''=''. The following keys can be used:

password hash type = string

sets the hash type used to encrypt the password, one from ''crypt'', ''md5'', ''ripemd-160'', ''sha-1'', ''sha-224'', ''sha-256'', ''sha-384'', or ''sha-512''.

exclude user = username-list

lists users to exclude for this backend. Usernames in the list are separated by spaces or tabulators. This line is allowed multiple times in a backend section.

add attribute = major minor string

adds the listed attribute to the details of authenticated users. The major and minor numbers are integer values. Ths string is passed ''as is''.

If you configure multiple backends you can use this feature to find which backend was used to authenticate the user.

map attribute = major minor string

maps one attribute from a user database record into the details for authenticated users. The string can be a database column name, LDAP attribute name..., the appropriate value is mapped into the response.

This feature is not implemented for the ''system'' backend type.

See Also

http://dktools.sourceforge.net/useraud.html

Author

Dirk Krause

Copyright And License

Copyright © 2010, Dirk Krause All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above
  copyright notice, this list of conditions and the
  following disclaimer.

* Redistributions in binary form must reproduce the above
  copyright notice, this list of conditions and the following
  disclaimer in the documentation and/or other materials
  provided with the distribution.

* Neither the name of the Dirk Krause nor the names of
  contributors may be used to endorse or promote products
  derived from this software without specific prior written
  permission.

Referenced By