Role "Auth" Attribute
A new column holding a JSON formatted configuration provides the flexibility of the multiple authentication methods that script policy currently employs. The applicable functions are then called by Role Based Policy authorization functions in a similar way as the script based policy.
A new database column, formatted in JSON format provides extra authentication options. The column is a JSON array of methods that are called in order, and REJECT when the first one fails. Each array element is a JSON object with a method and attributes:
{"method" : "getstringpasswd", "passwd" : <string>, "prompt":"<string>", message":"<string>", "rejectMessage":"<string>", "tries":<num>}
passwd | Base64 encoded SHA256 password to match |
prompt | The prompt string |
message | Message to display if the authentication fails |
rejectMessage | The Reject message that is logged against the event |
tries | The number of password attempts |
{"method" : "getuserpasswd", "user":<string>, "fname" : <string>, "prompt":"<string>", message":"<string>", "rejectMessage":"<string>", "tries":<num>, "period" : <num>}
user | Username to check |
fname | The unique filename used to cache the password authentication |
prompt | The prompt string |
message | Message to display if the authentication fails |
rejectMessage | The Reject message that is logged against the event |
tries | The number of password attempts |
period | The maximum duration before the user has to reauthenticate |
{"method" : "getuserpasswdpam", "user":<string>, "service" : <string>, "fname" : <string>, "prompt":"<string>", message":"<string>", "rejectMessage":"<string>", "tries":<num>, "period" : <num>}
user | Username to check |
service | The PAM service string |
fname | The unique filename used to cache the password authentication |
prompt | The prompt string |
message | Message to display if the authentication fails |
rejectMessage | The Reject message that is logged against the event |
tries | The number of password attempts |
period | The maximum duration before the user has to reauthenticate |
{"method" : "submitconfirmuser", "user":<string>, "fname" : <string>, "prompt":"<string>", message":"<string>", "rejectMessage":"<string>", "tries":<num>, "period" : <num>}
user | Username to check |
fname | The unique filename used to cache the password authentication |
prompt | The prompt string |
message | Message to display if the authentication fails |
rejectMessage | The Reject message that is logged against the event |
tries | The number of password attempts |
period | The maximum duration before the user has to reauthenticate |
{"method" : "submitconfirmuserpam", "user":<string>, "service" : <string>, "fname" : <string>, "prompt":"<string>", message":"<string>", "rejectMessage":"<string>", "tries":<num>, "period" : <num>}
user | Username to check |
service | The PAM service string |
fname | The unique filename used to cache the password authentication |
prompt | The prompt string |
message | Message to display if the authentication fails |
rejectMessage | The Reject message that is logged against the event |
tries | The number of password attempts |
period | The maximum duration before the user has to reauthenticate |
There are also three other variables (namely runconfirmuser, runconfirmmessage, runconfirmpasswdservice) that affect reauthentication. However, because these are policy script variables as opposed to functions, these are implemented in a similar way. In this respect, these variables should be set in the Variables column, and are templated in a similar manner.
{ "runconfirmuser" : "%user%" }
Matching Endpoint Privilege Management for Unix and Linux Variables for a Role
A new JSON formatted column has been introduced that allows the matching of roles based upon variables submitted by the client, for example pbclientmode. Matched values are wildcarded using normal glob(3) rules.
The format of the object is similar to:
{ "varmatch" : { "pbclientmode" : "pbrun", "year" : "201[678]" }}