.TH AUTHMGR 8 "August 2007" "OpenFWTK" .SH NAME authmgr \- network user authentication client .SH SYNOPSIS .BI "authmgr" .SH DESCRIPTION .IX "authmgr" "" "\(em network user authentication client" The Firewall Toolkit user authentication client .RB (authsrv) is a client-side interface to the OpenFWTK user authentication daemon .RB ( authmgr ). It provides a convenient, command line interface for creating, modifying, disabling, and deleting users. See .BR authsrv (8) for more information on the authentication management system. .SS Configuration Options .B authmgr reads configuration rules from the .IR "netperm-table" . It reads all rules using the .B authmgr and .B * .B authmgr reads the .I netperm-table from top to bottom. If there are multiple rules in the table that could apply for a particular attribute, .B authmgr uses the first one that it finds. See .BR "netperm-table" (5) for a more complete explanation of .I netperm-table syntax and precedence. .PP .B authmgr recognizes the following attributes: .TP .BI "authserver " "host port" Specifies the host running the authentication server (and the port on which it runs) that the proxies use for authenticating users. .RS .TP .I host Specifies an IP address or host name. .TP .I port Specifies a service name or port number. .RE .SH COMMANDS .B authmgr recognizes the following commands from within its command line interface: .TP .BI "addgroup " "user group [group..]" Makes the user a member of the specified group(s). You must be a global administrator to use this command. .TP .BI "adduser " user "[" fullname "]" Adds a user to the authentication database. You must be a global administrator or a group administrator to use this command. If you are a group administrator, users you create are the automatically made members of your group. Note that you still must enable a user after you have added the user. .RS .TP .I user Name of the user to be added to the authentication database. The user names must match the user names for the strong authentication system you are using. The user names in the user authentication management system do not generally need to match user names on the firewall itself. By default, you do not create any user accounts on the firewall, unless those accounts are used for system-wide authentication by .I PAM , .I sshd (8) authentication modules and alikes. .TP .I fullname The user's full name or other descriptive text about the user. Use quotes for information that contains spaces. .RE .TP .BI "deluser " user Deletes the specified user from the authentication database. You must be a global administrator a group administrator to use this command. If you are a group administrator, the user must be a member of your group. .TP .BI "disable " user Disable the specified user from the authentication database. The user's information remains in the database, but does not allow the user to use the system. The user authentication system disables users after a set number (configurable by the administrator) of failed login attempts. You must be the database administrator or a group administrator to use this command. If you are a group administrator, the user must be a member of your group. .TP .BI "display " user Displays the status, authentication protocol, and last login of the specified user. You must be the database administrator or a group administrator to use this command. If you are a group administrator, the user must be a member of your group. .TP .BI "enable " user " [onetime]" Allows users who have been disabled to use the system again. You must be the database administrator or a group administrator to use this command. If you are a group administrator, the user must be a member of your group. .RS .TP .I user Name of a user. .TP .B onetime Enables the user for one successful authentication. After the user successfully authenticates once, .B authmgr automatically disables the user. .RE .TP .B exit Exits .BR authmgr . .TP .B help Displays a list of valid commands for .BR authmgr . .TP .BI "list [" group "]" .TP .BI "password [" user "] " passwordtext Sets the password for the current user. You must be the database administrator or a group administrator to use this command. If you are a group administrator, the user must be a member of your group. .RS .TP .I user Name of a user. If you specify a user name, changes the password for the specified user. .TP .I passwordtext Password for the current or specified user. Valid values depend on the protocol being used. For the default protocols, valid values are: .RS .TP .B SecurID The seed in hex .TP .B SNK Eight 3-digit groups used to key the SNK calculator for this user .TP .B S/Key The seed for the user's password .TP .B password A reusable password. Use quotes if the password contains spaces. .RE .RE .TP .BI "proto " "user protocol" Sets the authentication protocol for the specified user to the named protocol. You must be the database administrator or a group administrator to use this command. If you are a group administrator, the user must be a member of your group. .RS .TP .I user Name of a user. .TP .I protocol The name of the authentication protocol. Available protocols depends on the protocols compiled into .BR authmgr . By default, valid values are: .RS .IP \(bu 4n SecurID .IP \(bu 4n snk .IP \(bu 4n Skey-md4 .IP \(bu 4n Skey-md5 .IP \(bu 4n Skey-SHA1 .IP \(bu 4n Skey-rmd160 .IP \(bu 4n password .RE .RE .TP .B quit Exits .BR authmgr . .TP .BI "rename " "user newname" " [" "fullname" "]" Changes the existing record for the existing user with the specified information. .RS .TP .I user Name of an existing user in the authentication database. .TP .I newname The new user name that you wish to use. .TP .I fullname The new user's full name or other descriptive text about the user. Use quotes for information that contains spaces. .RE .TP .BI "revoke " "user group" Exclude the user from members of the specified group. You must be a global administrator to use this command. .TP .BI "unwiz " "user group [group..]" Removes the group administrator flags from the specified user. You must be a global administrator to use this command. This command has no effect on global administrators. To remove global administrator privileges from a user, delete and recreate the user. .TP .BI "wiz " "user group [group..]" Makes the specified user a group administrator of the group(s) of which they are currently a member. .TP .B ? Displays a list of valid commands for .BR authmgr . .SH EXAMPLES This example shows the configuration lines in the .I netperm-table that indicate that the authentication client accesses the authentication server running on the same machine on port 7777: .sp 1 .nf .na .RS authmgr: authserver 127.0.0.1 7777 .RE .fa .fi .sp 1 This example shows an administrator running as .B root starting .B authmgr on the firewall, logging in as an administrative user, and creating and enabling a new user in the authentication database. .sp 1 .nf .na root@firewall # authmgr Connected to server .RB "authmgr-> " "login fwadmin" .RI "Password: " "password does not display" Logged in .RB "authmgr-> " list Report for users in database user group longname status proto last ---- ----- -------- ----- ----- ---- fwadmin y W Skey-md5 Thu May 2 11:41:42 2007 scooter Scooter Lindley y Snk Wed May 1 09:02:12 2007 .RB "authmgr-> " "adduser john 'John Whorfin'" ok - user added initially disabled .RB "authmgr-> " "enable john" enabled .RB "authmgr-> " "proto john Snk" changed .RB "authmgr-> " "pass john '160 270 203 065 022 034 232 162' " Secret key changed .RB "authmgr-> " list Report for users in database user group longname status proto last ---- ----- -------- ----- ----- ---- fwadmin y W Skey-md5 Thu May 2 11:41:42 2007 scooter Scooter Lindley y Snk Wed May 1 09:02:12 2007 john John Whorfin ena Snk never .RB "authmgr-> " quit # .fa .fi .SH FILES .IP /usr/local/etc/netperm-table The network permissions file contains configuration information for the Firewall Toolkit, including .BR authmgr . .SH BUGS Report bugs to the fwtk-users mailing list. Include a complete example, explaining what you expected to happen and what actually happened. Be sure to indicate the type of system (operating system, hardware, etc.) you are using, as well as the version of .RB authmgr . .SH AUTHOR Alexei Kravchuk. .SH SEE ALSO .BR netperm-table "(5), " rc "(8), "authsrv "(8)"