This is the documentation for FishEye 3.5. View the latest version of

Unknown macro: {spacejump}

or visit the latest FishEye documentation home page.

Host-based authentication uses the user account mechanism of the underlying operating system on which FishEye is running.

FishEye currently supports PAM-based authentication on 32-bit Linux/Solaris/OS-X, and NT-based authentication on Windows. 64-bit operating Systems are not supported.

Group Restrictions

FishEye can be configured to check if a user belongs to a group (or groups) before allowing access.

You can list one group name, or join several group names into a boolean expression like group1 & (group2 | group3).

If your group name contains spaces or non-ASCII characters, then you need to use quotes. For example: "Power Users" | Administrators.

Windows

If you are using Active Directory, you can configure FishEye to use LDAP as an alternative to host-based authentication.

If the computer FishEye is running on is not a member of a domain, then the Domain attribute is ignored.

When the computer is a member of a domain, you need to enter the full DNS name of the domain (e.g.  corp.example.com). If you enter the short version of the domain (e.g. corp), then group-based restrictions may fail.

Once you have configured your settings, we recommend you use the 'Test' function to ensure your access control behaves correctly.

PAM

On Linux, Solaris and OS-X, host-based authentication uses PAM (Pluggable Authentication Modules) to check users' passwords.

FishEye needs to be configured with the service name to use when conversing with PAM. You can create a new service name in the PAM configuration (typically /etc/pam.conf or /etc/pam.d/), or configure FishEye to use an existing service name (such as other, login or xscreensaver).

Some general operating-system specific tips are given below, but you should consult the PAM documentation for your operating system.

Once you have configured your settings, we recommend you use the 'Test' function to ensure your access control behaves correctly.

Linux

On many Linux distributions, you may need to create a /etc/pam.d/fisheye file containing:

auth       required     pam_stack.so service=system-auth
Mac OS-X

On a default OS-X installation, you may need to create a /etc/pam.d/fisheye file containing:

auth       sufficient     pam_securityserver.so
auth       required       pam_deny.so
Solaris

If you are using the default pam_unix_auth PAM configuration on Solaris, then you may need to add a line like this to your /etc/pam.conf file:

fisheye auth requisite          pam_authtok_get.so.1
fisheye auth required           pam_unix_auth.so.1

If you test this and it does not work, it is probably because when using pam_unix_auth on Solaris, the process doing the password check needs read access to /etc/shadow.

Giving the FishEye process read access to this file may solve this problem, but using permissions other than 0400 for /etc/shadow is not recommended. You should discuss this with your system administrators first, and possibly change to a PAM module other than pam_unix_auth.

Global Settings

Global settings are:

Domain/Service name

Windows: the name of the domain. Leave blank to use the local computer.
PAM: The service name in your PAM configuration to use. If blank, fisheye is used.

Required group:

The group or groups a user must belong to in order for them to be able to log in.

Cache TTL (positive)

How long FishEye should cache permission checks. Example values are: 0 secs, 5 mins.

Auto-add

FishEye can automatically create a user it has not previously encountered if the user can successfully authenticate with the host.

Per-Repository Settings

You can give FishEye a group restriction that will be used to check if a user has access to individual repositories. You can specify this per repository, or just specify it in the repository defaults:

Required Group

A group (or groups) used to check if a given user can access a given repository. For example: cvsusers & cvs${REP} The ${REP} variable is replaced with the name of the repository in question.