[illumos-Developer] Integrating identd

Garrett D'Amore garrett at nexenta.com
Sun Apr 3 14:26:08 PDT 2011


You can't use getpeerucred() to do this work for you?  What am I missing
that you can't get from getpeerucred()?

In general, if this program is likely to be useful I don't see why we
couldn't import into ON, although I'm not sure it really needs to be
there either.

Historically, identd has been one of those protocols that various
security folks have discouraged the use of, since you can't really rely
on it to do anything meaningful, and improperly configured systems can
wind up having identd give away information that it should not.

	- Garrett

On Sun, 2011-04-03 at 19:30 +0100, River Tarnell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> I'd like to integrate an ident server; that is, a server for RFC 1413, 
> which allows a remote system to query a (src port, dst port) pair and 
> returns the username associated with the connection.
> 
> This has traditionally been problematic on Solaris because there's no 
> stable way to get the information identd needs.  I have a version of 
> pidentd working on oi_148, which uses kmem fiddling to examine the 
> kernel netstacks, find the connection and extract the credentials.
> 
> pidentd is under a very free license (basically, "do anything you 
> want"), so I plan to create a stripped-down version, 
> /usr/lib/inet/in.identd, which is suitable for integration into ON.
> 
> There are three issues with identd:
> 
> #1: Finding connection credentials for the global zone (kmem)
> #2: Handling shared IP non-global zones
> #3: Handling exclusive IP non-global zones
> 
> Currently, I use kmem for #1, SO_ALLZONES for #2 and ipnat with 
> SIOCGNATL for #3 (by redirecting the ident request to the global zone).  
> This basically works (and could be integrated), but it's somewhat ugly.
> 
> What I'd like to do is implement a new syscall, which would look 
> something like this:
> 
>   ucred_t *ucred_get_conn(src, srclen, dst, dstlen)
>     struct sockaddr	*src, *dst;
>     socklen_t		 srclen, dstlen;
> 
> This would take the addresses of the connection (local and remote ends) 
> and return the credentials of the user that initiated the connection 
> (that is, the "conn_cred" field from struct conn_s).  This would be 
> zone-aware, so a separate identd could run in every shared or exclusive 
> IP zone.
> 
> In past discussions of this issue, there's been a proposal for a general 
> interface to enumerate connections including credential information, but 
> that is a large amount of work, and not something I'm prepared to work 
> on just to get a working identd.
> 
> Thoughts?
> 
> 	- river.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (SunOS)
> 
> iEYEARECAAYFAk2YvMkACgkQIXd7fCuc5vIuNgCfSHllmroP/Qh2XUPwJo6B/vyp
> 7qQAn2d8irkUHKXcSC7TWabIPxRS6GAN
> =kjOZ
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Developer mailing list
> Developer at lists.illumos.org
> http://lists.illumos.org/m/listinfo/developer





More information about the Developer mailing list