[illumos-Developer] Integrating identd

River Tarnell r.tarnell at IEEE.ORG
Sun Apr 3 11:30:33 PDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'd like to integrate an ident server; that is, a server for RFC 1413, 
which allows a remote system to query a (src port, dst port) pair and 
returns the username associated with the connection.

This has traditionally been problematic on Solaris because there's no 
stable way to get the information identd needs.  I have a version of 
pidentd working on oi_148, which uses kmem fiddling to examine the 
kernel netstacks, find the connection and extract the credentials.

pidentd is under a very free license (basically, "do anything you 
want"), so I plan to create a stripped-down version, 
/usr/lib/inet/in.identd, which is suitable for integration into ON.

There are three issues with identd:

#1: Finding connection credentials for the global zone (kmem)
#2: Handling shared IP non-global zones
#3: Handling exclusive IP non-global zones

Currently, I use kmem for #1, SO_ALLZONES for #2 and ipnat with 
SIOCGNATL for #3 (by redirecting the ident request to the global zone).  
This basically works (and could be integrated), but it's somewhat ugly.

What I'd like to do is implement a new syscall, which would look 
something like this:

  ucred_t *ucred_get_conn(src, srclen, dst, dstlen)
    struct sockaddr	*src, *dst;
    socklen_t		 srclen, dstlen;

This would take the addresses of the connection (local and remote ends) 
and return the credentials of the user that initiated the connection 
(that is, the "conn_cred" field from struct conn_s).  This would be 
zone-aware, so a separate identd could run in every shared or exclusive 
IP zone.

In past discussions of this issue, there's been a proposal for a general 
interface to enumerate connections including credential information, but 
that is a large amount of work, and not something I'm prepared to work 
on just to get a working identd.

Thoughts?

	- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)

iEYEARECAAYFAk2YvMkACgkQIXd7fCuc5vIuNgCfSHllmroP/Qh2XUPwJo6B/vyp
7qQAn2d8irkUHKXcSC7TWabIPxRS6GAN
=kjOZ
-----END PGP SIGNATURE-----



More information about the Developer mailing list