Authentication by Identifier and Password
Users may authenticate to a realm by providing an identifier
(PUID or
alias), a password, and the
name of the realm to which they wish to authenticate. A successful authentication to a realm establishes the user's
identify in that realm, and possibly in other realms (see "Trust relationships", below).
Because passwords are sent to authcnetd unencrypted, authentication attempts may only take place over an
SSL connection.
The User:
- connects to authcnetd
- provides:
- a PUID or alias
- a password
- the name of the realm
Authcnetd:
- replies ACK if:
- the password matches, and
- the realm's authentication policies allow the user to authenticate
- replies NAK if:
- the password does not match, or
- the realm's authentication policies do not allow the user to authenticate (e.g., if an account is "frozen", authcnetd replies NAK even if the password matches)
Authentication Sessions
While a user remains connected, authcnetd tracks the session's authentication state and passes it to authcdbm with each
command. If the user authenticates to multiple realms, authcnetd records each successful authentication and passes these
authentication credentials to authcdbm.
Trust Relationships Realms may define
trust relationships with other
realms to allow a user to authenticate once and share the resulting authentication credentials with other realms. The
combination of authcdbm's trust relationships and authcnetd's tracking of authentication sessions allows users to
establish their identities in multiple realms with a single authentication.