XSIMBAD_AUTH release 1.0 95-Jan-16 ============================================================================== RELEASES ============================================================================== ------- 1.0 95-Jan-31 --------------------------------------------------- ------------------- 1st release for: DEC/ultrix, DEC/alpha/OSF-1 SUN/OS4.1.x, SUN/Solaris SGI, IBM ============================================================================== AVAILABILITY ============================================================================== The authentication package is available on request by e-mail at: question@simbad.u-strasbg.fr ============================================================================== THE FILES ============================================================================== The package comes with the following files: README This file XSimbad_auth.machine The authentication servers. Are currently available the following versions: DEC/ultrix xsimbad_auth.ultrix DEC/alpha xsimbad_auth.alpha SUN/OS4.1.3 xsimbad_auth.sun4 SUN/SOLARIS xsimbad_auth.solaris IBM xsimbad_auth.ibm SGI xsimbad_auth.sgi ============================================================================== AUTHENTICATION ============================================================================== The regular usage of SIMBAD requires a userid and a password on the SIMBAD server. If your are managing a whole user community, which may be spread over a lab, an institute, a university or even a country, you may be interested in providing access to SIMBAD to your users without giving the SIMBAD userid and password to each of them. In a regular SIMBAD connection, the userid/password typed are sent to SIMBAD, checked and the connection is established if they are recognized. +---+ +---------------+ +-----------------+ | | | | (1) SIMBAD userid | | | U |---->|---------------|----------------------->| | | | | | and password | SIMBAD | | S | | XSIMBAD | | | | | | | | server | | E | | | (2) SIMBAD connection | | | |<===>| |<=======================| | | R | | | | | | | +---------------+ +-----------------+ +---+ Each user needs to know the SIMBAD userid and password. Using the XSIMBAD authentication server requires the user to possess some local userid/password. With the appropriate parameter on the command line, XSIMBAD connects first to your authentication server. Which calls an independant programme written by yourself. This latter receives the user's local userid and password, checks it with a passwd file, a database, or whatever you want, and if the check is satisfactory, returns the SIMBAD userid/password to the XSIMBAD programme. This information is then used to connect to the SIMBAD server. +-----------+ +-----------------+ | | | locally written | (1) user local +>| XSIMBAD |++>| check programme | userid/passwd + | authent. | | ..... | + o| server |l+++++++++++++++|+ o | | | | o +------------------+ | S | | XSIMBAD o|| SIMBAD | | | | | uid/pwd | | | R | | | | server | | |<===>| |<================| | +---+ | | (4) SIMBAD | | +---------------+ connection +------------------+ ============================================================================== INSTALLATION ============================================================================== The authentication server needs three steps to be installed: 1. Write the authentication programme ---------------------------------- To facilitate its development, the authentication programme is completely independant from the server. It is run by the server each time a user launches XSimbad. The rules needed to write it are very simple (particularly they require no knowledge in client/server programmation): We suggest to write it in C language, but probably other languages able to read and write unix standard input and output files may be used. a) receive from the server the user local userid/password on standard input: gets(buff) buff contains: "caller-information userid password" separated by one space, and without the quotes ("). The "caller-information" is in the following format: userid@IP-number(hostname) Ex: wenger@130.79.128.4(simbad) b) make anything you need to check the user authentication data. (it may be checking in your /etc/passwd file, or calling a database, or just checking the IP address, or whatever you want to check. b') you may also at this level build your own logfile from the transmitted informations. c) prepare a string with the following syntax: if the check succeeds: "OK simbad-userid simbad-password" if not: "NOK any message you want to be displayed" or: "KILL message" The message should not be larger than about 40 chars, one space should follow the keywords OK, NOK or KILL and this one should begin in column 1. The quotes should not be written, of course. Then send this string to the standard output. d) exit from the authentication programme. That's it. The string (generally containing SIMBAD's userid and password) is sent encrypted to XSimbad. In case of unsuccessful checking, the message following 'NOK' is displayed on the XSimbad login window. 'KILL' will display the message and end the client session. Here is the shortest example of authentication programme: ----------------------------------------------- #include #include main() { char str[256]; char *caller, *userid, *passwd; int succeed; /* read the string sent by the server * syntax: caller-info userid passwd * only 1 space separates caller-info, userid and passwd * password may contain, and even begin with spaces */ gets(str); /* analyse the string */ caller = str; userid = strchr(str,' '); *userid++ = '\0'; passwd = strchr(userid,' '); *passwd++ = '\0'; /* put here any kind of code you need to authenticate the user * and eventually everything you want to log the event */ succeed = CheckUser(userid,passwd); /* return the result string * syntax: OK simbad-userid simbad-password * or: NOK free message (max about 40 chars) * or: KILL free message */ if (succeed) printf("OK %s %s\n","SIMBAD-userid","SIMBAD-passwd"); else printf("NOK WRONG PASSWORD\n"); } ----------------------------------------------- Of course, the weak point is the writing of SIMBAD userid and password somewhere. Don't let everybody read your authentication programme and hide the password by some way in the executable (if not, it can be read with the 'strings' programme. It is your responsability when installing the authentication server to ensure this confidentiality. 2. Launch the authentication server -------------------------------- The authentication server should be run permanently. It doesn't need to be run from root id. It can run on any station, being anywhere on internet, having possibly nothing to do with SIMBAD. Before running it, you must choose, once for ever, a service number. Already used service numbers are in the system table called '/etc/services'. On SUN stations, you do not need to register the new service number. On DEC stations, you have to. But it is of course a good practice to do it, and even MANDATORY TO CHOOSE THE NUMBER WITH THE SYSTEM MANAGER OF THE STATION. Running the authentication server is then done with the following command: XSimbad_auth service-number auth-pgm [logfile] & Be sure it is launched each time the station is rebooted. 3. XSimbad usage with the authentication server -------------------------------------------- In order to connect first to your authentication server, the XSimbad user must specify following option: XSimbad -aHOSTID,SERVICE-NUMBER where HOSTID is the IP number or the INTERNET hostname of the host running the authentication server and SERVICE# the corresponding ... service number as it may be defined in the /etc/services file. Examples (imaginary): XSimbad -a100.50.25.12,1995 XSimbad -amyhost.myuniv.edu,2345