From owner-freebsd-hackers Thu Feb 20 09:59:39 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA26721 for hackers-outgoing; Thu, 20 Feb 1997 09:59:39 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.50]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id JAA26713 for ; Thu, 20 Feb 1997 09:59:36 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id KAA15626; Thu, 20 Feb 1997 10:55:53 -0700 From: Terry Lambert Message-Id: <199702201755.KAA15626@phaeton.artisoft.com> Subject: Re: "connection refused" To: avalon@coombs.anu.edu.au (Darren Reed) Date: Thu, 20 Feb 1997 10:55:53 -0700 (MST) Cc: davidn@labs.usn.blaze.net.au, freebsd-hackers@freebsd.org In-Reply-To: <199702201229.EAA09482@freefall.freebsd.org> from "Darren Reed" at Feb 20, 97 11:29:25 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > I'm currently working on a network server that needs to use local > > creditials on a remote connection, and if that fails, to issue a > > "connection refused". > > You can't do this (using sockets). > > I don't quite understand how you want to use the credentials...the > description seems confusing. Can you put it in TCP/IP terms ? :) I believe he wants to vouchsafe the local credentials to the remote system, and have that system proxy those credentials locally. Like NFS does, not like rlogin does. You can't engage in vouchsafe unless you have a connection up to transfer the proxy data over. Once you have a connection up, you can't refuse the connection, you can only close it. One possibility would be to use identd (if you, as the server, trust a host to provide credentials for local proxy, you can trust them to run a non-hacked identd -- the level of trust is equivalent, as the host could lie about credentials on the vouchsafe just as easily as on the identd, if it were compromised). To do this, you would get the connection request data without issuing an accept. This is highly irregular, so I don't know how much sample code exists to do it... but what you do is call recvmsg() on the socket you would have done the accept on, with a msg_iovlen of 0 and a non-zero msg_controllen. Using the information from the recvmsg(), you contact the remote host's identd and get the socket creator's credential data. If the credentials are not to your liking, you can explicitly reject the connection using sendmsg(), with only the control information. If you like the credentials, you can accept() normally, and proceed. Obviously, you shouldn't implement this for identd. 8-). Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.