User Administration

Each user, who will use the normal proxy servers, needs to have an account on the IBM Firewall system. These are normal AIX user accounts, except that they have a restrictive login shell. Note that the FTP proxy replaces the standard FTP daemon and it does not allow access to the firewall itself, as it only accepts

quote site

Adding users is simply done by selecting the users option in the GUI.

Figure 154 on page 172 shows the general user screen.

Figure 154. List User Screen

From the list users screen we can define, modify or delete users. Figure 155 on page 173 shows the dialog for adding a user.

Figure 155. Administer General Screen

The options you can specify for each user are as follows:

Authority Level is either Administrator or Proxy User.

In this chapter we explain only the proxy user option.

User Name is the ID that the user will use to log in to the IBM Firewall.

User Full Name is the textual name of the user (for documentation purposes).

Secure Interface Shell is the command shell that the user will see when they log in using Telnet from the secure side of the firewall. The available shells are:

restrict.sh - only gives commands for establishing sessions (telnet, gopher, ping, mosaic, finger, etc.)

oneact.sh - only permits the user to establish a further Telnet session

csh, ksh, bsh - the normal C, Korn and Bourne shells The default secure interface shell is restrict.sh.

Nonsecure Interface Shell is the command shell that the user will see when they log in from the nonsecure side of the firewall. The same shells are available as for the secure side.

Local Login is the method to authorize login from the console. The options are:

Password - normal AIX password validation

SecureNet card - one-time pass key using Axent SecureNet SecureID card - one-time pass key using Security Dynamics SecureID

User Supplied - use authentication method provided by you (for example, Bellcore's S/Key)

Deny - prevent FTP login from the secure interface (default) None - no security required

Secure FTP is the method to use to authenticate the user when they log in to FTP from the secure side of the firewall. The same options as for previous field.

Non-Secure FTP is the method to use to authenticate the user when they log in to FTP from the nonsecure side of the firewall. The same options as for Local Login.

Secure Telnet is the method to use to authenticate the user when the user logs into Telnet from the secure side of the firewall. The same options as for Local Login.

Non-Secure Telnet is the method to use to authenticate the user when the user logs into Telnet from the nonsecure side of the firewall. The same options apply as for Secure Telnet.

Secure IP is the method to use to authenticate the user when the user logs in from the secure side of the firewall. The options are:

Deny - prevent FTP login from the secure interface (default) Password - normal AIX password validation

Non-Secure IP is the method to use to authenticate the user when the user logs in from the nonsecure side of the firewall. The same options apply as for Secure IP.

Local Administration is the method to use to authenticate the administrator when he/she logs in from the secure network interface. The same options as for Local Login apply.

Remote Administration is the method to use to authenticate the administrator when he/she logs in from the nonsecure network interface. The same options as for Local Login apply.

Securenet Key enter the same key code that will be used to prime the Axent SecureNet Key.

Warning Time in minutes, is the maximum time of user idle before a warning message to disconnect the user.

Disconnect Time in minutes, is the maximun time of user idle before being disconnected. This time must be more than warning time.

You define the user as shown in Figure 154 on page 172 and select OK, but you first need set to the values of the password (Figure 156).

Figure 156. Defining the Password for New User The options that you can specify are:

Set Password specify yes to assign the new password.

New Password provide a password.

New Password (Again Please) provide a password again, just to verify.

Login Retries maximum number of fail retries before lockout. 0 disables this option and 20 is the maximum number of login retries.

Expired Password Warning (Days) number of days before the password expires to receive a warning.

Num Passwords Before Reuse number of passwords before reuse; the maximum allowed is 20.

Weeks Before Password Reuse number of weeks before a password can be reused; 26 is recommended and 52 is the maximum.

Weeks Before Lockout number of week between password expiration and provide a new password to lockout the user. -1 disables this option;

maximum is 26.

Max Age maximum password live time in weeks; 0 disables this option, and 52 is the maximum allowed.

Min Length minimum length of the password. 0 is no minimum and 8 is the maximum allowed.

Min Alpha Chars minimum of alphabetic characters in the password. 0 is no minimum and 8 is the maximum allowed.

Min Other Chars minimum of nonalphabetic characters in the password. 0 is no minimum and 8 is the maximum allowed.

Max Repeated Chars maximum of repeated characters in the password. 0 is no maximum; 8 is the maximum allowed.

Min Different Chars minimum of different characters between the new password and the old password. 0 disables this option and 8 is the maximum allowed.

The only user ID that you do not have to add in this way is root.

If you have many users to enter, the GUI may be a rather slow method to do it.

You may want to consider using the command fwuser; see 4.3.7, “Command Line Proxy User Generation” on page 50 for details.