[Spread-users] spread IP-based authentication

Jonathan Stanton jonathan at spreadconcepts.com
Thu Apr 5 01:43:02 EDT 2012 

Hi Matt,

I took a look at what you are trying to do and I have a few ideas. For reference, the best example and documentation of the Spread access control system is in the paper "Framework for Authentication and Access Control of Client-Server Group Communication Systems" which can be downloaded from  http://www.spread.org/SpreadResearch.html

Ideas:

1) Add "ACM" to DebugFlags in the spread.conf. That will add log messages to teh spread log about how the authentication is working and what checks are being done. That is fairly verbose (especially with EventPriority INFO) so that might clearly show what the problem is. 

2) The spread log message in your current log that states:
"[Mon 26 Mar 2012 15:59:10] Sess_recv_client_auth: reading auth string SHORT on mailbox 9"

indicates that the spread client is not sending a full list of supported auth methods to the server. 

What type of Spread client software are you using? Is it the included spuser program that comes with Spread or your own client? 

If you are using the included test client "spuser" then I think I know the problem. That client in it's default compilation does not state that it supports any authentication besides the default "NULL" authentication. Since you are not allowing NULL authentication in your list of allowed methods on the server, the client is detecting that no method it supports is allowed by teh server and therefore is rejecting the connection before even trying to compare IP addresses with your access file. 

If this is the case there are two different ways to fix this: 

 a) Change the user.c client to add a call to "SP_set_auth_method() which specifies that the "IP" method is used and create a simple "ip_authenticate() function in the client that just returns true (i.e. 1) and register that as the authenticate function (auth_data can be NULL). That will cause the client to record that it can do IP auth, which will then be what it requests and what the server uses. 

 If you are writing your own client or what something that you control this is the best approach.

 b) If you want a simple change that will work without any code changes, just add "NULL" to the AllowedAuthMethods = "" line in the spread.conf file so that both IP and NULL are allowed methods for the server. Then only leave IP in the required methods line. That will cause the server to allow clients who only request NULL method to start the connection process, but it will still check the IP rules and reject them if they don't match. This works securely because the way auth methods are checked, it requires that all methods listed at the server to return "OK" before allowing the connection. So if the IP check fails, it doesn't matter if NULL passes (which it always does) because the client will still be rejected. 

If you are using your own client, them make sure it is enabling use of the IP method in it's call to SP_set_auth_method(). 

Some further notes that might help using the IP auth code. 

When only 'unix and local' are in the access file the only methods that should work are when the client connects using only a port number (passing "4833" as the spread_name into the SP_connect() call) which is really a unix domain socket connection using the port file /tmp/4803 or whereever it is located) or a connection when the client connects to the daemon using a name in the localhost space (127.0.0.0/8) for example "4803 at 127.0.0.1". So that case should not work even if the client is on the same machine if the client is connecting using the external IP address of the daemon (even running on the same machine). 

However, your second case of adding the IP range 192.168.0.0/16 to the access file should have allowed connections from any client coming from an address in that range. 

I hope this helps,

Jonathan
-------------------------------------------------------------------------------
Jonathan Stanton		jonathan at spreadconcepts.com
Spread Group Messaging	www.spread.org
Spread Concepts LLC 	www.spreadconcepts.com
-------------------------------------------------------------------------------



On Apr 3, 2012, at 10:08 AM, Matt Garman wrote:

> Bump... is anyone out there using IP-based authentication?  Anyone see
> any obvious problems with my configuration?
> 
> John, can you duplicate this?
> 
> Thanks again,
> Matt
> 
> 
> On Mon, Mar 26, 2012 at 11:05 AM, Matt Garman <matthew.garman at gmail.com> wrote:
>> Hi,
>> 
>> Using spread 4.0.0 on Linux, we'd like to use IP-based authentication.
>>  I asked about this a while ago[1].  In short, I added the following
>> two lines to my spread configuration file:
>> 
>> RequiredAuthMethods = "IP"
>> AllowedAuthMethods = "IP"
>> 
>> I also created a "spread.access_ip" file, and put it in all of the
>> following directories: (1) spread runtime directory, (2) /etc/ and (3)
>> /usr/local/etc/.  Here is the contents of this file:
>> 
>> unix
>> local
>> 
>> This seems to block *all* spread access.  I also tried adding the
>> following line to the file:
>> 
>> 192.168.0.0/16
>> 
>> My server's IP address is within this subnet.  If I try to connect
>> using spuser, I get the following:
>> 
>> Spread library version is 4.0.0
>> SP_error: (-9) Connection rejected, authentication failed
>> 
>> Bye.
>> 
>> Here is what the spread log file looks like (with the startup
>> copyright banner removed):
>> 
>> Conf_load_conf_file: using file:
>> /usr/local/etc/spread/spread-4833-development.conf
>> Successfully configured Segment 0 [192.168.187.255:4833] with 1 procs:
>>                    lnxsvr11: 192.168.187.67
>> [Mon 26 Mar 2012 10:59:10] Set Alarm mask to: 1a6
>> [Mon 26 Mar 2012 10:59:10] Setting SO_REUSEADDR to auto
>> [Mon 26 Mar 2012 10:59:10] disabling Dangerous Monitor Commands!
>> [Mon 26 Mar 2012 10:59:10] Set runtime directory to '/var/run/spread/4833'
>> [Mon 26 Mar 2012 10:59:10] Set group name to 'spread'
>> [Mon 26 Mar 2012 10:59:10] Set user name to 'spread'
>> [Mon 26 Mar 2012 10:59:10] Finished configuration file.
>> [Mon 26 Mar 2012 10:59:10] Hash value for this configuration is: 2464631203
>> [Mon 26 Mar 2012 10:59:10] Conf_load_conf_file: My name: lnxsvr11, id:
>> 192.168.187.67, port: 4833
>> [Mon 26 Mar 2012 10:59:10] Net_init: Bcast is not needed
>> [Mon 26 Mar 2012 10:59:10] Net_set_membership: I am a Segment leader
>> [Mon 26 Mar 2012 10:59:10] Net_set_membership: Token_address :
>> (192.168.187.67:4834)
>> [Mon 26 Mar 2012 10:59:10] Sess_init: INET bind for port 4833
>> interface 0.0.0.0 ok
>> [Mon 26 Mar 2012 10:59:10] Sess_init: INET went ok on mailbox 6
>> [Mon 26 Mar 2012 10:59:10] Sess_init: UNIX bind for name /tmp/4833 ok
>> [Mon 26 Mar 2012 10:59:10] Sess_init: UNIX went ok on mailbox 7
>> [Mon 26 Mar 2012 10:59:10] Sess_init: ended ok
>> [Mon 26 Mar 2012 10:59:10] Net_set_membership: I am a Segment leader
>> [Mon 26 Mar 2012 15:59:10] Net_set_membership: Token_address :
>> (192.168.187.67:4834)
>> Membership id is ( -1062683837, 1332777551)
>> [Mon 26 Mar 2012 15:59:10] --------------------
>> [Mon 26 Mar 2012 15:59:10] Configuration at lnxsvr11 is:
>> [Mon 26 Mar 2012 15:59:10] Num Segments 1
>> [Mon 26 Mar 2012 15:59:10]      1       192.168.187.255   4833
>> [Mon 26 Mar 2012 15:59:10]              lnxsvr11                192.168.187.67
>> [Mon 26 Mar 2012 15:59:10] ====================
>> [Mon 26 Mar 2012 15:59:10] Sess_accept: set sndbuf/rcvbuf to 204800
>> [Mon 26 Mar 2012 15:59:10] Setting TCP_NODELAY on socket 9
>> [Mon 26 Mar 2012 15:59:10] Sess_recv_client_auth: reading auth string
>> SHORT on mailbox 9
>> [Mon 26 Mar 2012 15:59:10] Sess_session_denied: Authorization denied
>> for -2124115 on mailbox 9
>> [Mon 26 Mar 2012 15:59:10] Sess_accept: set sndbuf/rcvbuf to 204800
>> [Mon 26 Mar 2012 15:59:10] Setting TCP_NODELAY on socket 9
>> [Mon 26 Mar 2012 15:59:10] Sess_recv_client_auth: reading auth string
>> SHORT on mailbox 9
>> [Mon 26 Mar 2012 15:59:10] Sess_session_denied: Authorization denied
>> for -2924115 on mailbox 9
>> [Mon 26 Mar 2012 15:59:10] Sess_accept: set sndbuf/rcvbuf to 204800
>> [Mon 26 Mar 2012 15:59:10] Setting TCP_NODELAY on socket 9
>> [Mon 26 Mar 2012 15:59:10] Sess_recv_client_auth: reading auth string
>> SHORT on mailbox 9
>> [Mon 26 Mar 2012 15:59:10] Sess_session_denied: Authorization denied
>> for -2924115 on mailbox 9
>> ... (the last few lines repeat continuously)
>> 
>> 
>> Here is the contents of my config file:
>> 
>> Spread_Segment 192.168.187.255:4833 {
>>        lnxsvr11 192.168.187.67
>> }
>> 
>> EventTimeStamp
>> #DebugFlags = { PRINT EXIT }
>> DebugFlags = { PRINT EXIT NETWORK SESSION CONFIGURATION }
>> SocketPortReuse = AUTO
>> DangerousMonitor = false
>> RuntimeDir = /var/run/spread/4833
>> EventPriority = INFO
>> DaemonGroup = spread
>> DaemonUser = spread
>> RequiredAuthMethods = "IP"
>> AllowedAuthMethods = "IP"
>> 
>> 
>> Am I missing something?
>> 
>> Thanks!
>> Matt
>> 
>> [1] http://lists.spread.org/pipermail/spread-users/2011-November/004489.html
> 
> _______________________________________________
> Spread-users mailing list
> Spread-users at lists.spread.org
> http://lists.spread.org/mailman/listinfo/spread-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6220 bytes
Desc: not available
Url : http://lists.spread.org/pipermail/spread-users/attachments/20120405/4cac524d/attachment.bin

More information about the Spread-users mailing list