4C Network Security Configuration
4C Network Security Configuration
Controls which users or groups of users are allowed to
connect to which services.
4C allows you to configure the security
on your 4c server system with several new config
files.
All security configuration files are stored in the
directory HOME_4C/security.
All security config files can have comments in them.
Comments start with a '#' and continue until the end of the line they
start on.
The security config files are:
-
SecurityConfig -
System wide security settings
-
AuthClient -
Controls which client machines can connect to which
4c services.
-
Group -
An optional file that allows you to define groups
of 4C users.
-
AuthUser -
Controls which users or groups of users are allowed to
connect to which services.
The following are also stored in this directory:
-
The server's host key, either a DSA private key, or a RSA private key.
-
The DH parameter file.
-
One or more authentication logs.
The current one is always named auth.log.
The next older one is auth.log.1, followed by auth.log.2 and so
on up through auth.log.9.
The security directory as well as all the files in it,
must be readable only by root on Unix systems
and by Administrator or LocalSystem on NT systems.
If any other users have access to this directory or the
files in it, 4csrvrd will not start.
4C Security - SecurityConfig
The SecurityConfig file allows you to set global
non changing security options as well as default values
for options that can change depending on client machine
and user.
The options that can be specified in the SecurityConfig file
are:
-
SecurityLevel -
Highest, High, Medium, Low, Lowest, or None.
If you specify SecurityLevel None, then 4C does
not use any Security.
Currently, other than none, all SecurityLevels act the
same.
I expect this to evolve over time,
and would suggest using either medium or high as the SecurityLevel.
-
KeyExchange -
The method of KeyExchange.
Currently this must be:
Type=DH,Filename=<dhparamfile>
-
MinClientVersion -
Optional.
This is the default min client version you want to
allow to connect.
It can be overridden per AuthClient entry if you want.
If you allow client versions earlier than 4.4.0 to connect,
they connect and run insecurely.
-
Encryption -
A 4C encryption description such as:
Cipher=bf,Len=128,Mode=CBC.
-
Auth -
The default authentication method that you are allowing clients to use.
This can also be overridden per AuthClient entry or per AuthUser entry.
This entry wil be one or more of the following:
Password, LocalUser, ConnectedUser, Trusted, Any
Separate multiple service types by commas.
-
Service -
The default services that you are allowing clients to connect to.
This can also be overridden per AuthClient entry or per AuthUser entry.
This entry wil be one or more of the following:
Run, Dev, Csum, Logrdr, fs, fs/ro, share, pwd, Any
Separate multiple service types by commas.
-
HostKey -
This must be specified and will look like:
HostKey Type=RSA,Filename=hostkey_rsa
Here is a sample SecurityConfig file:
SecurityLevel High
#
# dont allow any insecure connections as a default
# this may be overriden in our AuthClient file for users
# on our vpn.
#
MinClientVersion 4.4.0
KeyExchange Type=DH,Filename=dhparam.pem
HostKey Type=RSA,Filename=hostkey_rsa
Encryption Cipher=bf,Len=128,Mode=CBC # This is pretty strong
#
# Default service to Run only.
#
Service Run
#
# Allow any authentication methods
#
Auth Any
4C Security - AuthClient
The AuthClient config file allows you to define which client machines
are allowed to connect to which 4C services.
You can override some of SecurityConfig default settings.
Each entry in the AuthClient file can refer to multiple
host machines as well as 1 or more services.
4C searches for an entry in the AuthClient file that matches the incoming
host and the requested service.
If one is not found, the connection is terminated without sending
a message to the client.
If you want to send a message to the client,
there must be an entry in the AuthClient which has an option of
"Refuse True" as well as the message you want the client to see.
There will be an example of this after the description of the
options.
The following options are allowed in the AuthClient config file.
Here is a sample AuthClient file:
#
# We need to have a localhost entry
# so that the 4cprt and 4cbuild processes
# can start
Client
Host localhost
Auth LocalUser,Password
#
# Let users on our network have pretty much full access
#
Client
Host 192.100.*.*
Host 192.200.*.*
Auth Any
Service Any
MinClientVersion 4.2.6
#
# This machine should only connect to the fs service in read only mode
# we trust user usr4c and user kenglish on this machine and let them
# connect to us as user test4c
#
Client
Host 206.228.110.139
Service fs/ro
Auth Trusted
TrustedUser RemoteUser=usr4c,LocalUser=test4c
TrustedUser RemoteUser=kenglish,LocalUser=test4c
#
# We dont want the above client connecting to any other service
#
Client
Host 206.228.110.139
Service Any
Refuse True
Message "*** Connection Refused ***"
#
# We dont want anyone else connection to any
# 4C Service. We dont send this client a message
#
Client
Host *.*.*.*
Service Any
Refuse True
4C Security - Group
The Group config file is optional.
You can use it to define groups of users
that then can be referred to in the AuthUser config
file using the group name.
There is a special group that is always implicitly defined
whether you use the Group file or not.
This is the "allusers" group and as the name implies
includes all users.
Here's an example Group file:
Group dev
Users jsmith,bfritz,kje
Group run
Users a,b,c,d,e,f
Users x,y,z
Group demo
Users demo,usr4c
A user can be in more than one group.
This Group concept has nothing to do with
the operating systems concept of a group.
4C Security - AuthUser
The AuthUser config file lets you define which users are allowed
to connect to which services and from which machines.
You can further limit the services a user can use and further limit
the authentication methods they can use.
You can specify some authenticated users run with another users
credentials.
You can specify values for environment variables and specify
which applications a user can access.
If a user is not identified by an entry in the AuthUser file,
the user will not be allowed to connect.
Here are the options you can specify in the AuthUser config file:
-
User -
Each entry in the AuthUser file starts with User at the beginning of a
line and as the only work on that line.
The options that go with a particular AuthUser entry are always
indented with some whitespace.
-
Allow -
Comma separated list of usernames and group names
that this AuthUser entry apply to.
Group names are distinguished from user names
with an '@' as the first character.
-
Ignore -
Comma separated list of usernames and group names
that this AuthUser entry does not apply to.
The ignore list is always checked before the allow list.
-
Host -
Optional list of hosts users can connect from.
If no Host is specified in an AuthUser entry,
then the AuthUser entry will allow connecting
from anywhere.
-
Service -
Comma separated list of services that this AuthUser
entry allows.
This can be used to further limit the services
allowed by SecurityConfig or AuthClient, but not to augment it.
-
Auth -
Comma separated list of authentication methods this AuthUser
entry allows.
This can be used to further limit the auth methods
allowed by SecurityConfig or AuthClient, but not to augment it.
-
Locked -
Account is locked.
-
Message -
Message to display to user indicating account is locked.
-
RunAsUser -
Username to run as after authentication succeeds.
-
RunAsPassword -
Sometimes needed on NT.
Do not use this on Unix.
-
Env -
Environment variables to set when this user
is authenticated.
Each env line looks like:
Env ENVVAR=<envval>
-
Application -
Comma separated list of applications that
the users are allowed to use.
You can still limit applications in the _4CSRVRCONFIG
file.
Here is a sample AuthUser file:
#
# Authorized Users
# Only Users Listed in this file are allowed
# to connect.
#
# Allow dev users and postgres to connect only from
# internal network. Ignore kevin in this entry so he can
# connect from anywhere
#
User
Allow @dev
Allow postgres
Ignore kevin
Host 192.168.*.*
#
# No restriction on kevin where he can connect from
#
User
Allow kevin
Service Any
#
# Allow anyone in the demo group to run demo application
# only. Always run with the credentials of user "demo"
#
User
Allow @demo
RunAsUser demo # force all to be demo
Service Run
Application demo
Env XLEXTTYPE=testpsql
Env FCCODIV=AAABBBCCC001
Here's another sample that just allows all users
to connect without putting any restrictions
on them.
User
Allow @allusers
Back to Top