


   SPX Version 2.2                                                     SPX(1)



   Name
     SPX - Introduction to the SPX system


   Description
     The SPX system provides public key based strong authentication for indi-
     vidual users and server principals in a distributed environment.  After
     installing their SPX credentials, principals use SPX to generate authen-
     tication tokens to authenticate themselves to remote principals, or to
     decide whether to accept a token received from a remote principal.

     SPX V2.2 provides strong authentication in the network utilities _f_l_o_g_i_n,
     _f_c_p, and _f_s_h.  These permit strongly authenticated remote access, to
     systems supporting discretionary access policies based on global (X.500)
     names rather than local user on particular remote host name, as with the
     ._r_h_o_s_t_s or _h_o_s_t_s._e_q_u_i_v mechanisms.  The global names for incoming access
     are specified instead in a principal's ._s_p_h_i_n_x file.

     Before you can use SPX, you must be enrolled as an user in the SPX data-
     base.  You can use the _s_p_x_i_n_i_t command to find out whether you can
     install credentials. This command prompts for your SPX password and
     creates a temporary RSA key for your authentication session (it normally
     will expire in eight hours).

     In order to register as a user you must first have long-term RSA public
     and (encrypted) private key files.  You can generate these using the
     _c_r_e_a_t_e_k_e_y command.  You then obtain your global identity, which must be
     an immediate subordinate to (in a directory administered by) a Certifi-
     cation Authority (CA).  The CA has jurisdiction over this global name
     for you (you might have more than one for different purposes).  You
     obtain the public key for this CA and create a "trusted authority" cer-
     tificate using the _c_r_e_a_t_e_c_e_r_t_i_f command with the -t option.  To complete
     the registration process, you send your two key files and initial
     trusted authority certificate to the CA who generates a certificate
     attesting to your name and public key, and puts all of these in your
     namespace record.

     As SPX V2.2 does not yet have available the global X.500 name service,
     you must provide these files to the administrator of the Certificate
     Distribution Center that holds your CA's name jurisdiction.  This means
     that all of your certificates, under different global name prefixes,
     might be in different CDCs.

     A SPX name is an X.500 name constructed as a domain prefix followed by
     the CA "relative distinguished name" (RDN) and then the principal's RDN.
     Domain prefix is found in the /etc/cdc.conf file.  An RDN contains both
     the naming attribute type and the actual string name.  For user and
     server principals the naming attribute is Common Name, abbreviated CN=.
     For CA's, it is Organizational Unit, OU=.

     For example, at Digital there is a SPX domain with the prefix
             /_C=_U_S/_O=_D_i_g_i_t_i_a_l/_O_U=_L_K_G/
     that has two CAs, _O_U=_U_s_e_r_s and _O_U=_S_e_r_v_e_r_s A user such as _C_N="_J_o_h_n _S_m_i_t_h"


   Digital Equipment Corporation                                            1






   SPX(1)                                                     SPX Version 2.2


     has a complete name of
             /_C=_U_S/_O=_D_i_g_i_t_i_a_l/_O_U=_L_K_G/_O_U=_U_s_e_r_s/_C_N=_J_o_h_n _S_m_i_t_h

     Note that _s_p_x_i_n_i_t will prompt for the user's full name, if the
     SPHINX_LOCAL_NAME environment variable isn't set.  It also permits one
     to specify a SPHINX_LOCAL_CA variable, but this normally defaults to
     "/OU=Users".  In the above example, SPHINX_LOCAL_NAME would be 'John
     Smith'.

     If you use the _s_p_x_i_n_i_t command to get your credentials, make sure you
     use the _s_p_x_d_e_s_t_r_o_y command to destroy your credentials before you end
     your login session.  You should put the _s_p_x_d_e_s_t_r_o_y command (with the -f
     option) in your ._l_o_g_o_u_t file so that your credentials will be destroyed
     automatically when you logout.

     Currently, SPX supports the following network services: _f_l_o_g_i_n, _f_s_h, and
     _f_c_p.

     To authorize others access to your resources based on their global iden-
     tity, list their X.500 name in your ~/._s_p_h_i_n_x file in your home direc-
     tory.  You can also restrict their access to particular utilities, and,
     in the case of fcp, to particular files.

   See Also
     spxinit(1), spxlist(1),spxdestroy(1)
     createkey(1), createcertif(1)
     flogin(1), fcp(1), fsh(1)

   Features
     SPX will do authentication forwarding or delegation.  In other words, if
     you use _f_l_o_g_i_n to login to a remote host, you can use SPX to authenti-
     cate yourself to other hosts without having to explicitly do a _s_p_x_i_n_i_t
     on that host.  Thus, _f_l_o_g_i_n does not send your password across the net-
     work in clear text under any circumstances.  You can control whether or
     not delegation is done.





















   2                                            Digital Equipment Corporation


99