[illumos-Developer] Integrating identd
River Tarnell
r.tarnell at IEEE.ORG
Sun Apr 3 11:30:33 PDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'd like to integrate an ident server; that is, a server for RFC 1413,
which allows a remote system to query a (src port, dst port) pair and
returns the username associated with the connection.
This has traditionally been problematic on Solaris because there's no
stable way to get the information identd needs. I have a version of
pidentd working on oi_148, which uses kmem fiddling to examine the
kernel netstacks, find the connection and extract the credentials.
pidentd is under a very free license (basically, "do anything you
want"), so I plan to create a stripped-down version,
/usr/lib/inet/in.identd, which is suitable for integration into ON.
There are three issues with identd:
#1: Finding connection credentials for the global zone (kmem)
#2: Handling shared IP non-global zones
#3: Handling exclusive IP non-global zones
Currently, I use kmem for #1, SO_ALLZONES for #2 and ipnat with
SIOCGNATL for #3 (by redirecting the ident request to the global zone).
This basically works (and could be integrated), but it's somewhat ugly.
What I'd like to do is implement a new syscall, which would look
something like this:
ucred_t *ucred_get_conn(src, srclen, dst, dstlen)
struct sockaddr *src, *dst;
socklen_t srclen, dstlen;
This would take the addresses of the connection (local and remote ends)
and return the credentials of the user that initiated the connection
(that is, the "conn_cred" field from struct conn_s). This would be
zone-aware, so a separate identd could run in every shared or exclusive
IP zone.
In past discussions of this issue, there's been a proposal for a general
interface to enumerate connections including credential information, but
that is a large amount of work, and not something I'm prepared to work
on just to get a working identd.
Thoughts?
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk2YvMkACgkQIXd7fCuc5vIuNgCfSHllmroP/Qh2XUPwJo6B/vyp
7qQAn2d8irkUHKXcSC7TWabIPxRS6GAN
=kjOZ
-----END PGP SIGNATURE-----
More information about the Developer
mailing list