[rrd-developers] [PATCH] rrdcached server-side authentication
Tobias Oetiker
tobi at oetiker.ch
Wed Apr 29 06:41:28 CEST 2009
Hi Kevin,
:-) I can soon start using the daemon in the wan ...
Today kevin brintnall wrote:
[...]
>
> +=item B<-A> I<auth_file>
> +
> +This file contains a list of authentication secrets, one per line.
> +Comments start with B<#>; any remaining characters on the line are
> +ignored. Trailing white space is ignored. See B<AUTHENTICATION> for more
> +information.
> +
[...]
> + for (size_t i=0; i < auth_secrets_cnt; i++)
> + {
> + char expected[RRD_AUTH_RESPONSE_LEN];
> + rrd_auth_response(expected, sock->auth_nonce, auth_secrets[i]);
> +
> + if (strcasecmp(expected, response) == 0)
> + {
> + sock->privilege = PRIV_HIGH;
> + return send_response(sock, RESP_OK, "ok\n");
> + }
> + }
> + return send_response(sock, RESP_ERR, "bad authentication response\n");
> +} /* }}} */
> +
This means the client can use any of the secrets in my file, and I
will just test them all, to see if one matches ?
What is the use case for this behaviour ?
Would it make sense to have a secret and a user name, so that the
communication would look like this?
http://en.wikipedia.org/wiki/Cryptographic_nonce
This would also allow to skip the linear search ...
cheers
tobi
--
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900
More information about the rrd-developers
mailing list