Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 20 Feb 1997 10:55:53 -0700 (MST)
From:      Terry Lambert <terry@lambert.org>
To:        avalon@coombs.anu.edu.au (Darren Reed)
Cc:        davidn@labs.usn.blaze.net.au, freebsd-hackers@freebsd.org
Subject:   Re: "connection refused"
Message-ID:  <199702201755.KAA15626@phaeton.artisoft.com>
In-Reply-To: <199702201229.EAA09482@freefall.freebsd.org> from "Darren Reed" at Feb 20, 97 11:29:25 pm
next in thread | previous in thread | raw e-mail | index | archive | help 
> > I'm currently working on a network server that needs to use local
> > creditials on a remote connection, and if that fails, to issue a
> > "connection refused".
> 
> You can't do this (using sockets).
> 
> I don't quite understand how you want to use the credentials...the
> description seems confusing.  Can you put it in TCP/IP terms ? :)

I believe he wants to vouchsafe the local credentials to the remote
system, and have that system proxy those credentials locally.  Like
NFS does, not like rlogin does.

You can't engage in vouchsafe unless you have a connection up to
transfer the proxy data over.  Once you have a connection up, you
can't refuse the connection, you can only close it.


One possibility would be to use identd (if you, as the server, trust
a host to provide credentials for local proxy, you can trust them
to run a non-hacked identd -- the level of trust is equivalent, as
the host could lie about credentials on the vouchsafe just as easily
as on the identd, if it were compromised).

To do this, you would get the connection request data without issuing
an accept.  This is highly irregular, so I don't know how much sample
code exists to do it... but what you do is call recvmsg() on the socket
you would have done the accept on, with a msg_iovlen of 0 and a
non-zero msg_controllen.

Using the information from the recvmsg(), you contact the remote
host's identd and get the socket creator's credential data.

If the credentials are not to your liking, you can explicitly reject
the connection using sendmsg(), with only the control information.

If you like the credentials, you can accept() normally, and proceed.

Obviously, you shouldn't implement this for identd.  8-).


					Regards,
					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702201755.KAA15626>