cr1 Bilateral Authentication Scheme

Registering cr1 with the connection server

Nothing needs to be done on the client side to register cr1. Once the cr1 executable program is installed, the connection server automatically invokes cr1 with the -r option whenever it receives a message from the server that cr1 is protecting the requested service. The -r option tells the program on the client that it is to play the role of the responder in the authentication exchange.

When cr1 on the client is called, it searches local databases and sends pertinent information to the server, which the port monitor passes as arguments to the server's local cr1. Included in the arguments are the name of the user on the remote system and the remote system's machine name, which cr1 uses to locate the shared key in its key database. Setting up the key database is described in ``Setting up the key database''.

Although cr1 does not need to be administered on the client, the client administrator has the option to specify a list of acceptable schemes in the connection server's /etc/iaf/serve.allow file. If cr1 is specified, the connection server will fail the connection request if the use of cr1 is not mandated by the server. By forcing the server to use cr1, the client can verify the server's identity.

Instructions for setting up the /etc/iaf/serve.allow file can be found in ``Maintaining the /etc/iaf/serve.allow file'' of ``Administering the connection server''.

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004