Node:sfs_users
,
Next:sfssd_config
,
Previous:sfsauthd_config
,
Up:SFS configuration
sfs_users
--User-authentication database
The sfs_users
file, maintained and used by the sfsauthd
program, maps public keys to local users. It is roughly analogous to
the Unix /etc/passwd
file. Each line of sfs_users
has the
following format:
user:public-key:credentials:SRP-info:private-key
- user
- user is the unique name of a public key in the database.
Ordinarily it the same as a user-name in the local password file.
However, in certain cases it may be useful to map multiple public keys
to the same local account (for instance if several people have an
account with root privileges). In such cases, each key should be given
a unique name (e.g.,
dm/root
, kaminsky/root
, etc.).
- public-key
- Public key is simply the user's public key. A user must posses the
corresponding private key to authenticate himself to servers.
- credentials
- credentials are the credentials associated with a particular SFS
public key. It is simply a local username to be looked up in the Unix
password and group databases. Ordinarily, credentials should be
the same as user unless multiple keys need to be mapped to the
same credentials.
- SRP-info
- SRP-info is the server-side information for the SRP protocol,
SRP. Unlike the previous fields, this information must be kept
secret. If the information is disclosed, an attacker may be able to
impersonate the server by causing the
sfskey add
command to
fetch the wrong HostID. Note also that SRP-info is specific
to a particular hostname. If you change the Location of a file
server, users will need to register new SRP-info.
- private-key
- private-key is actually opaque to
sfsauthd
. It is
private, per-user data that sfsauthd
will return to users who
successfully complete the SRP protocol. Currently, sfskey
users this field to store an encrypted copy of a user's private key,
allowing the user to retrieve the private key over the network.