The Sub-authentication Service
The sub-authentication service lets local users define sub-accounts with different authentication tokens for specific services.
The system administrator defines one or more authentication zones, each corresponding to a set of system services. Each zone can contain an account for each system user. Depending on the configuration of the zone, accounts can be managed manually by the administrator, or they can be created automatically when the user sets an authentication token for the zone.
Every account can be endowed with one of more authentication tokens of the following types. Depending on the configuration, all types need not be available in all zones.
- a user-specified string, usually easy to remember, but hard to guess. This is useful when authenticating manually. Please note that the password must not contain a "-" (minus) character, because it is used as a separator in other token types. There may be at most one password per account.
- Regular token:
- such tokens are generated automatically. They consist of a public identifier (4 hexadecimal digits) and a random secret string. Multiple tokens can be defined for the same account, their public identifiers and optional comments can be listed by the user. This can be useful if you want to let multiple programs remember your credentials: each program can get a unique token and when it ceases to be trusted, the token can be simply removed.
- Temporary token:
- this is a randomly generated cryptographically signed string, allowing access to the given user in the given zone for a limited time. Temporary tokens can be useful for services which are used so scarcely that it does not make sense to remember permanent credentials of any kind. You can set how long will the token be valid up to a limit configured by the administrator for the given zone.
All sub-accounts are managed by the subauthd daemon. Users can employ the subauth client to manipulate their sub-accounts. Application can authenticate users using either pam_subauth PAM plugin or the mod_authn_subauth Apache module.
The latest release of subauthd is version 1.0 (2018-01-21).