[Spread-users] spread IP-based authentication

Matt Garman matthew.garman at gmail.com
Thu Apr 12 14:40:12 EDT 2012 

Hi Jonathan,

Thank you for your detailed response.  Unfortunately, I'm still not
having any luck here... see inline details below.

On Thu, Apr 5, 2012 at 12:43 AM, Jonathan Stanton
<jonathan at spreadconcepts.com> wrote:
> 1) Add "ACM" to DebugFlags in the spread.conf. That will add log messages to teh spread log about how the authentication is working and what checks are being done. That is fairly verbose (especially with EventPriority INFO) so that might clearly show what the problem is.

Is that a new flag?  It doesn't appear to do anything for me, and
isn't listed in the Spread User's Guide on the website (see page 14,
table 2.1).

> 2) The spread log message in your current log that states:
> "[Mon 26 Mar 2012 15:59:10] Sess_recv_client_auth: reading auth string SHORT on mailbox 9"
>
> indicates that the spread client is not sending a full list of supported auth methods to the server.
>
> What type of Spread client software are you using? Is it the included spuser program that comes with Spread or your own client?

I've been trying with both the spuser example program as well as our
own client(s).

> If you are using the included test client "spuser" then I think I know the problem. That client in it's default compilation does not state that it supports any authentication besides the default "NULL" authentication. Since you are not allowing NULL authentication in your list of allowed methods on the server, the client is detecting that no method it supports is allowed by teh server and therefore is rejecting the connection before even trying to compare IP addresses with your access file.
>
> If this is the case there are two different ways to fix this:
>
>  a) Change the user.c client to add a call to "SP_set_auth_method() which specifies that the "IP" method is used and create a simple "ip_authenticate() function in the client that just returns true (i.e. 1) and register that as the authenticate function (auth_data can be NULL). That will cause the client to record that it can do IP auth, which will then be what it requests and what the server uses.

I tried this; the code change was so small I went ahead and included
the patch at the bottom of this file.  Your suggestion is simple
enough, but perhaps I still managed to mess it up?  In this case, I
get the same log errors as before:

[Thu 12 Apr 2012 13:17:30] Sess_recv_client_auth: reading auth string
SHORT on mailbox 9
[Thu 12 Apr 2012 13:17:30] Sess_session_denied: Authorization denied
for user on mailbox 9

>  If you are writing your own client or what something that you control this is the best approach.
>
>  b) If you want a simple change that will work without any code changes, just add "NULL" to the AllowedAuthMethods = "" line in the spread.conf file so that both IP and NULL are allowed methods for the server. Then only leave IP in the required methods line. That will cause the server to allow clients who only request NULL method to start the connection process, but it will still check the IP rules and reject them if they don't match. This works securely because the way auth methods are checked, it requires that all methods listed at the server to return "OK" before allowing the connection. So if the IP check fails, it doesn't matter if NULL passes (which it always does) because the client will still be rejected.

This is actually what I tried first, and what I would prefer to do
(since we have a lot of spread-based programs, and don't want to have
to do a big rebuild/release).  But this also does not work:

[Thu 12 Apr 2012 13:37:37] Sess_recv_client_auth: Client requested
NULL type authentication
[Thu 12 Apr 2012 13:37:37] Sess_session_denied: Authorization denied
for user on mailbox 9

Any other thoughts?

Thanks again!
Matt


--- user.c.orig 2012-04-12 13:21:28.000000000 -0500
+++ user.c      2012-04-12 13:19:25.000000000 -0500
@@ -103,6 +103,8 @@
 static  void    Print_help();
 static  void   Bye();

+int ip_authenticate(int i, void* p) { return 1; }
+
 int main( int argc, char *argv[] )
 {
        int     ret;
@@ -125,6 +127,9 @@
 #else
         printf("Spread library version is %1.2f\n", SP_version() );
 #endif
+
+       SP_set_auth_method("IP", ip_authenticate, NULL);
+
 #ifdef  ENABLE_PASSWORD
         if (Use_Pword)
         {

More information about the Spread-users mailing list