.\" Automatically generated by Pod::Man version 1.15
.\" Fri Dec 20 09:52:45 2002
.\"
.\" Standard preamble:
.\" ======================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R

.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  | will give a
.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
.tr \(*W-|\(bv\*(Tr
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" If the F register is turned on, we'll generate index entries on stderr
.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
.\" index entries marked with X<> in POD.  Of course, you'll have to process
.\" the output yourself in some meaningful fashion.
.if \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.\"
.\" For nroff, turn off justification.  Always turn off hyphenation; it
.\" makes way too many mistakes in technical documents.
.hy 0
.if n .na
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.bd B 3
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ======================================================================
.\"
.IX Title "sfsauthd_config 5"
.TH sfsauthd_config 5 "SFS 0.7.2" "2002-12-20" "SFS 0.7.2"
.UC
.SH "NAME"
sfsauthd_config \- user-authentication daemon confiuration
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
.Ip "Hostname \fIname\fR" 4
.IX Item "Hostname name"
Set the \fILocation\fR part of the server's self-certifying pathname.
The default is the current host's fully-qualified hostname.
.Ip "Keyfile \fIpath\fR" 4
.IX Item "Keyfile path"
Tells \fBsfsrwsd\fR to look for its private key in file \fIpath\fR.
The default is \fIsfs_host_key\fR.  \s-1SFS\s0 looks for file names that do
not start with \fI/\fR in \fI/etc/sfs\fR, or whatever directory you
specified if you used the \fB\-with-etcdir\fR option to
\&\fBconfigure\fR ().
.Ip "Userfile [\-update] [\-create] [\-passwd] [\-admin] [\-prefix=\fIprefix\fR] [\-uid=\fIuid\fR | \-uidmap=\fIu1\fR-\fIu2\fR+\fIu3\fR] [\-gid=\fIgid\fR | \-gidmap=\fIg1\fR-\fIg2\fR+\fIg3\fR] [\-pub=\fIpubpath\fR] \fIpath\fR" 4
.IX Item "Userfile [-update] [-create] [-passwd] [-admin] [-prefix=prefix] [-uid=uid | -uidmap=u1-u2+u3] [-gid=gid | -gidmap=g1-g2+g3] [-pub=pubpath] path"
This specifies a file in which \fBsfsauthd\fR should look for user
public keys when authenticating users.  You can specify multiple
\&\fBUserfile\fR directives to use multiple files.  This can be useful in
an environment where most user accounts are centrally maintained, but a
particular server has a few locally-maintained guest (or root) accounts.
.Sp
Userfile has the following options:
.RS 4
.Ip "\-update" 4
.IX Item "-update"
Specifies a user database as updatable.  Users can register new public
keys, update their public keys, and change their server key
information on writable databases.  If this command is not given, the
database is assumed to read-only and possibly on a remote machine.
Thus, \fBsfsauthd\fR maintains local copies of read-only databases in
\&\fI/var/sfs/authdb\fR.  This process ensures that temporarily
unavailable file servers never disrupt \fBsfsauthd\fR's operation.
.Ip "\-create" 4
.IX Item "-create"
Create an empty \fIsfs_users\fR file if no such file exists.
.Ip "\-passwd" 4
.IX Item "-passwd"
Treat the Unix passwd file (\fI/etc/passwd\fR on most machines) as
part of this userfile.  Use password, shell and home directory
information.  Allows users who do not exist in the database to log
into \fBsfsauthd\fR with their \s-1UNIX\s0 password, so that they
might register an \s-1SFS\s0 key (note this allso requires the
\&\fB\-update\fR flag).  See \fIsfskey register\fR, for details on
this. Also important for proper functioning of \fBrexd\fR.
.Ip "\-admin" 4
.IX Item "-admin"
Allow an \s-1SFS\s0 administrator to make changes to user records that have
the admin flag set in their \fBprivs\fR field.
.Ip "\-prefix=\fIprefix\fR" 4
.IX Item "-prefix=prefix"
Prepend the prefix \fIprefix\fR to usernames in the given userfile.
.Ip "\-uid=\fIuid\fR" 4
.IX Item "-uid=uid"
.PD 0
.Ip "\-uidmap=\fIu1\fR-\fIu2\fR+\fIu3\fR" 4
.IX Item "-uidmap=u1-u2+u3"
.PD
These options are mutually exclusive.  The first maps every user's credentials
in the given file to the given \s-1UID\s0, \fIuid\fR.  The second maps users in
the \s-1UID\s0 range (\fIu1\fR to \fIu2\fR) to the offset \fIu3\fR.  For example, if
you wanted to map users to 1000\-2520 to 61000\-62520, you would supply
\&\-uidmap=1000\-2520+60000.
.Ip "\-gid=\fIgid\fR" 4
.IX Item "-gid=gid"
.PD 0
.Ip "\-gidmap=\fIg1\fR-\fIg2\fR+\fIg3\fR" 4
.IX Item "-gidmap=g1-g2+g3"
.PD
See above.  Functions the same as \fBgid\fR and \fBgidmap\fR, but 
applies to group IDs, rather than user IDs.  Again, these options
are mutually exclusive.
.Ip "\-pub=\fIpubpath\fR" 4
.IX Item "-pub=pubpath"
\&\fBsfsauthd\fR supports the secure remote password protocol, or \s-1SRP\s0.
\&\s-1SRP\s0 lets users connect securely to \fBsfsauthd\fR with their
passwords, without needing to remember the server's public key.  To
prove its identity through \s-1SRP\s0, the server must store secret data
derived from a user's password.  The file \fIpath\fR specified in
\&\fBUserfile\fR contains these secrets for users opting to use \s-1SRP\s0.  The
\&\fB\-pub\fR option tells \fBsfsauthd\fR to maintain in
\&\fIpubpath\fR a separate copy of the database without secret
information.  \fIpubpath\fR might reside on an anonymously readable \s-1SFS\s0
file system\*(--other machines can then import the file as a read-only
database using a \fBUserfile\fR line with the \fB\-update\fR
flag.
.RE
.RS 4
.Sp
If no \fBUserfile\fR directive is specified, \fBsfsauthd\fR uses
the following default (again, unqualified names are assumed to be in
\&\fI/etc/sfs\fR):
.Sp
.Vb 1
\&  Userfile -update -passwd -pub=sfs_users.pub sfs_users
.Ve
.RE
.Ip "Logfile \fIpath\fR" 4
.IX Item "Logfile path"
Use the logfile given by \fIpath\fR to output the signature log
generated by \fBsfsauthd\fR.  The default logfile is 
\&\fI/var/sfs/sign_log\fR.
.Ip "SRPfile \fIpath\fR" 4
.IX Item "SRPfile path"
Where to find default parameters for the \s-1SRP\s0 protocol.  Generate such a
file using the \*(L"sfskey gensrp\*(R" command. The default is
\&\fIsfs_srp_params\fR.  If the default file does not exist, serving
pre-generated \s-1SRP\s0 parameters is disabled.
.Ip "Denyfile \fIpath\fR" 4
.IX Item "Denyfile path"
Specify a file containing a list of users that are to be explicitly
denied the ability to register and update keys on the authserver.  The
default is \fIsfs_deny\fR.  If the default file does not exist, we
assume an empty list.
.Ip "Realm \fIname\fR" 4
.IX Item "Realm name"
Define the realm to which this authserver will belong.  Authentication
information (including \s-1SRP\s0) can be shared amongst authservers that are
in the same realm.  Thus, a user that wants to authenticate to a realm,
can contact any authserver in that realm.
.Sp
If the realm directive does \s-1NOT\s0 appear in this file, the authserver will
not join any realm.  This behavior is the default.  If the realm
directive does appear, \fIname\fR cannot be empty.
.Sp
\&\s-1NOTE:\s0 Changing an authserver's realm after users have already registered
using \s-1SRP\s0 requires all users to update their authentication data because
the realm is bound into the stored \s-1SRP\s0 information.  Specifically, each
user will need to run
.Sp
.Vb 1
\&  sfskey update -r username@authserver
.Ve
A user logged on to the authserver can use the hostname \fI-\fR to
signify the local host:
.Sp
.Vb 1
\&  sfskey update -r -
.Ve
.Ip "Certpath \fIdir\fR [\fIdir\fR ...]" 4
.IX Item "Certpath dir [dir ...]"
Specify a certification path to return to the client as a result of an
\&\*(L"sfskey login\*(R" command; this list of directories will become the
arguments to a dirsearch certprog.  That is, for a certpath "\fIdir1\fR
\&\fIdir2\fR\*(L" the client will add a certprog \*(R"dirsearch \fIdir1\fR
\&\fIdir2\fR" to the user's agent.  The certification path will be tagged
with a prefix equal to the authserver's realm (see above).
.Sp
\&\s-1NOTE:\s0 The certpath directive only makes sense if the authserver is
part of a realm.  The certpath will be ignored if the realm directive
isn't specified.
.Sp
There are three ways to specify a certpath directory:
.Sp
.Vb 1
\&  certpath //dir1 /dir2 @sfs.host.domain,HOSTID/dir2
.Ve
which can also be written
.Sp
.Vb 3
\&  certpath //dir1
\&  certpath /dir2
\&  certpath @sfs.host.domain,HOSTID/dir2
.Ve
A directory starting with two slashes (\*(L"//\*(R") is considered relative
to the client machine's root (\*(L"/\*(R").  A directory starting with one
slash (\*(L"/\*(R") is relative to the authserver's self-certifying pathname
(the authserver performs the substitution before is sends the dir).
The third form is a fully specified directory on \s-1SFS\s0.
.Sp
The default certpath is empty.
.SH "FILES"
.IX Header "FILES"
.Ip "\fI/etc/sfs/sfsauthd_config\fR" 4
.IX Item "/etc/sfs/sfsauthd_config"
.PD 0
.Ip "\fI/usr/local/share/sfs/sfsauthd_config\fR" 4
.IX Item "/usr/local/share/sfs/sfsauthd_config"
.PD
user-authentication daemon confiuration
.PP
(Files in \fI/etc/sfs\fR supersede default versions in \fI/usr/local/share/sfs\fR.)
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIdirsearch\fR\|(1), \fInewaid\fR\|(1), \fIrex\fR\|(1), \fIsfsagent\fR\|(1), \fIsfskey\fR\|(1), \fIssu\fR\|(1), \fIsfs_config\fR\|(5), \fIsfs_srp_params\fR\|(5), \fIsfs_users\fR\|(5), \fIsfscd_config\fR\|(5), \fIsfsrwsd_config\fR\|(5), \fIsfssd_config\fR\|(5), \fIfunmount\fR\|(8), \fIsfsauthd\fR\|(8), \fIsfscd\fR\|(8), \fIsfsrwsd\fR\|(8), \fIsfssd\fR\|(8), \fIvidb\fR\|(8)
.PP
The full documentation for \fB\s-1SFS\s0\fR is maintained as a Texinfo
manual.  If the \fBinfo\fR and \fB\s-1SFS\s0\fR programs are properly installed
at your site, the command \fBinfo \s-1SFS\s0\fR
should give you access to the complete manual.
.PP
For updates, documentation, and software distribution, please
see the \fB\s-1SFS\s0\fR website at \fIhttp://www.fs.net\fR.
.SH "AUTHOR"
.IX Header "AUTHOR"
sfsdev@redlab.lcs.mit.edu