module Rpc_auth_dh:Diffie-Hellman authentication (AUTH_DH alias AUTH_DES)
This module implements DH authentication, the simplest form of Secure RPC. Despite its name, this form of authentication provides only a medium level of security, see below.
To use AUTH_DH you need the public-key infrastructure for Secure
RPC. This requires that a special daemon, the so-called
runs on both the client's system and the server's system. The task
keyserv is to store public and private keys. We do not have
keyserv in Ocamlnet, so you must use the
keyserv your system
keyserv is often distributed together with NIS+. However,
you can run
keyserv without needing to set up NIS+.)
In order to make a remote call, the keyserv
daemon of the client must
know the private key of the client user, and the public key of the
server user. The
keyserv daemon of the server must know the public
key of the client user and the private key of the server user.
Note that you can load a key pair into
keyserv with the command
(This is not necessary for the root user, root's key pair is loaded
at daemon startup time.)
See the manual pages of your OS
Furthermore, it is strictly necessary that time synchronization is enabled between the client and the server. The recommended solution is to synchronize both clocks independently using a time normal (with NTP). Alternatively, the server can provide a time service on port 37 ("netdate").
To identify users, AUTH_DH uses so-called netnames. These have the form "<osflavor>.<user>@<domain>", where <osflavor> determines the kind of operating system (usually "unix"), <user> is an identifier for the user, and <domain> determines where the user identifiers are valid. In UNIX environments, the netnames are formed like:
keyservdaemon provides a service
net_getthat returns the netname of the calling user. AUTH_DH uses this service to determine the netname of the current process, but this does not hide netnames from the user of AUTH_DH:
Note that it is hard to attack AUTH_DH without knowing the public key.
So it is best not to make it accessible for third parties.
domainname. Note: This function refuses to work for setuid or setgid programs.
val client_auth_method :
?getdeviation:(Unix.inet_addr -> float) ->
?keyserv:Rpc_key_service.connector -> string -> Rpc_client.auth_method
Pass the resulting auth_method to
configure AUTH_DH for an RPC client.
ttl: The "time to live" for the network packets. Effectively, this number is the maximum time deviation the server will tolerate. It defaults to 60 seconds meaning that it is acceptable if the server gets the network packet 60/2 seconds before or after the time the packet is sent by the client.
getdeviation: This function is called when the time has to be resynchronized. The argument is the internet address of the server, and the expected result is the number of seconds the server is ahead to the client. By default, a function is used that connects to the netdate time service of the server, and compares the time of the client and the server. If the clocks can be assumed to always be synchronous, it is safe to pass
fun _ -> 0.0as deviation function.
key_lifetime: After this number of seconds the DES key (conversation key) expires. Default: 3600
val server_auth_method :
?keyserv:Rpc_key_service.connector -> unit -> Rpc_server.auth_method
Rpc_server.set_auth_methodsto configure AUTH_DH for an RPC server.
Note that the current implementation of AUTH_DH blocks until the
keyserv responds. For most applications, this is not a big problem,
keyserv lookups are seldom. Perhaps I will rewrite the code some
day such that
keyserv lookups are done in an asynchronous way. (The
Rpc_server.auth_method interface allows it already.)
max_sessions: The maximum number of authenticated connections the server can manage. If more clients connect, the lifetime of the conversation keys will decrease, but the server will still be functional.
max_ttl: The maximum number for the ttl value. The ttl value is passed by the client, but if it is bigger than
max_ttl, the maximum is used instead.
key_lifetime: After this number of seconds the conversation key expires and must be renewed.
attack_detector: Whether an attack detector is to be installed. It detects if there are many failed connection attempts for a certain user (more than 10 failures in 10 seconds). If this criterion matches no more logins are allowed for this user in the current 10 seconds period. The detector contains a heuristics that makes it unlikely that a TCP connection breaks when just a key must be renewed and the server is currently being attacked.
keyservdaemon to use. Defaults to the same default as