Role "Auth" Attribute

A new column holding a JSON formatted configuration provides the flexibility of the multiple authentication methods that script policy currently employs. The applicable functions are then called by Role Based Policy authorization functions in a similar way as the script based policy.

A new database column, formatted in JSON format provides extra authentication options. The column is a JSON array of methods that are called in order, and REJECT when the first one fails. Each array element is a JSON object with a method and attributes:

{"method" : "getstringpasswd", "passwd" : <string>, "prompt":"<string>", message":"<string>", "rejectMessage":"<string>", "tries":<num>}
passwd Base64 encoded SHA256 password to match
prompt The prompt string
message Message to display if the authentication fails
rejectMessage The Reject message that is logged against the event
tries The number of password attempts

 

{"method" : "getuserpasswd", "user":<string>, "fname" : <string>, "prompt":"<string>", message":"<string>", "rejectMessage":"<string>", "tries":<num>, "period" : <num>}
user Username to check
fname The unique filename used to cache the password authentication
prompt The prompt string
message Message to display if the authentication fails
rejectMessage The Reject message that is logged against the event
tries The number of password attempts
period The maximum duration before the user has to reauthenticate

 

{"method" : "getuserpasswdpam", "user":<string>, "service" : <string>, "fname" : <string>, "prompt":"<string>", message":"<string>", "rejectMessage":"<string>", "tries":<num>, "period" : <num>}
user Username to check
service The PAM service string
fname The unique filename used to cache the password authentication
prompt The prompt string
message Message to display if the authentication fails
rejectMessage The Reject message that is logged against the event
tries The number of password attempts
period The maximum duration before the user has to reauthenticate

 

{"method" : "submitconfirmuser",  "user":<string>, "fname" : <string>,  "prompt":"<string>", message":"<string>", "rejectMessage":"<string>", "tries":<num>, "period" : <num>}
user Username to check
fname The unique filename used to cache the password authentication
prompt The prompt string
message Message to display if the authentication fails
rejectMessage The Reject message that is logged against the event
tries The number of password attempts
period The maximum duration before the user has to reauthenticate

 

{"method" : "submitconfirmuserpam",  "user":<string>, "service" : <string>, "fname" : <string>,  "prompt":"<string>", message":"<string>", "rejectMessage":"<string>", "tries":<num>, "period" : <num>}
user Username to check
service The PAM service string
fname The unique filename used to cache the password authentication
prompt The prompt string
message Message to display if the authentication fails
rejectMessage The Reject message that is logged against the event
tries The number of password attempts
period The maximum duration before the user has to reauthenticate

There are also three other variables (namely runconfirmuser, runconfirmmessage, runconfirmpasswdservice) that affect reauthentication. However, because these are policy script variables as opposed to functions, these are implemented in a similar way. In this respect, these variables should be set in the Variables column, and are templated in a similar manner.

{ "runconfirmuser" : "%user%" }

Matching Endpoint Privilege Management for Unix and Linux Variables for a Role

A new JSON formatted column has been introduced that allows the matching of roles based upon variables submitted by the client, for example pbclientmode. Matched values are wildcarded using normal glob(3) rules.

The format of the object is similar to:

{  "varmatch" : { "pbclientmode" : "pbrun", "year" : "201[678]" }}