[Top] [Prev] [Next] [Bottom]

[Contents] [Index]

getauthinfo - obtain a certificate for authentication

getauthinfo filename

Description

The getauthinfo command interactively queries the user (a process that includes the viewing of an agreement, which is saved in the file /licensedb/<signer>.agreement), then contacts the signer server, or certifying authority, to obtain a certificate that can be later used for authentication of identity. The certificate is stored in the file /usr/<username>/keyring/filename. The <username> is the name in the file /dev/user, while filename should be the base name of a file, not the path. The target directory /usr/<username>/keyring must exist before calling the getauthinfo command.

User responses

The user is prompted for the following items:
signer The name of the signer server, for example, pcwork1.company.com. The default is the value for the SIGNER variable in the file /services/cs/db.
remote user name The name of the user for whom a certificate is to be obtained. The default is the name in /dev/user.
password This is the password for the user. The password entered on the client must match the password stored on the server in order to retrieve a certificate. A hashed form of the password is stored on the server when the changelogin command is issued. (See changelogin earlier in this chapter). The password must be at least 7 characters.
save in file The default is 'no'. If the user responds 'yes' on a client, the certificate is stored on the client in the file /usr/<username>/keyring/filename.

Note: The password expiration date is also used as the expiration date for the certificate (see changelogin - command to create/update the password file )

File servers

Machines that will be file servers must obtain a certificate and save the certificate in a file named default. This is accomplished with the command getauthinfo default. The user calling getauthinfo for this purpose must be the same user who later runs lib/srv to start the server daemons.

File server clients

Machines that want to be authenticated clients of file servers must obtain a certificate and store the certificate in a file named with the format net!machine. The filename provided must match exactly the addr argument to be given to the mount command for file server access. The command would be getauthinfo <net!machine>. For more information on the format of <net!machine>, see mount - add to namespace in Chapter 8.

Files
/licensedb/<signer>.agreement Where a copy of the agreement is stored on a client machine.
/usr/<username>/keyring/<net!machine> Where a certificate is stored on a client machine.
/usr/<username>/keyring/default Where a certificate is stored on a file server.
/services/cs/db Contains the default name of the signer server.

Note

The signer server needs keys to endorse the certificates that it provides to clients. If a user requests a certificate with the getauthinfo command before keys are created on the signer server, then getauthinfo causes keys to be generated and stored on the signer (see createsignerkey - create signer key on authentication server for more information). These keys are stored in /keydb/signerkey on the signer server and the owner is designated as '*'.

See Also

changelogin - command to create/update the password file
mount - add to namespace in Chapter 8

[Top] [Prev] [Next] [Bottom]

infernosupport@lucent.com
Copyright © 1997, Lucent Technologies, Inc.. All rights reserved.