cr1 identifies and authenticates users on both the server and the client machines at the time a connection is established. Both parties in the communication are authenticated through the use of a key (see cryptkey(1bnu)). The effective UID of the process running cr1 determines the key that is used in the authentication.
If the -u option is used in the responder role, the cr1 scheme attempts to use the key shared by the local and remote machines. If this key is not available to the application (or if no -u option is used), the cr1 scheme will attempt to use the key shared by the local effective user and the principal indicated by the -M and -U options.
The imposer will use the corresponding key shared by the responder and the local effective user.
The options -u and -s indicate that the local user name and the name of the local service, respectively, are to be passed to the remote machine in the authentication exchange. The -U and -M options instruct cr1 to use the remote machine name and the remote user name, respectively, to look up keys in its database.
The cr1 executable program implements the cr1 protocol, assuming that file descriptors 0, 1, and 2 have been set to the connection to be authenticated. The file descriptors are set by the invoke library function (see invoke(3iac)).
Upon successful completion of an authentication exchange, the cr1 program exits with a value of 0 and associates appropriate values with the authenticated connection, using the putava and setava functions. The associated values may then be used by applications using the authenticated connection, using the getava and retava functions.
Note that by default, cr1 uses DES encryption. For this to work, both machines using authentication must have the Encryption Utilities package installed. If this package is not available, the machines can use authentication using ENIGMA encryption, by invoking cr1 as cr1.enigma.