barefoot   Frontpage - Barefoot - Download - Usage - Status - Support - Modules - Docs - Links - Survey
 

RFC 931 Authentication

This page describes how to use RFC 931/identd based authentication.

Overview

The rfc931 authentication method uses RFC931/identd to obtain a user name. Note that in most environments this is not a secure way to authenticate users. It can however be obtained for any TCP based protocol, as long as the client runs a compliant identd server on it's machine. The user name can be used for access control, or to provide additional information in log files.

Using this method will increase latency each time a connection is initially received, due to the need to query the client machine for the user name, before forwarding of data optionally starts.

Environment setup

The Barefoot server needs to be compiled with libwrap to work with this authentication method. The identd daemon on the machine the client connects from will also typically need to be configured to return correct user names; some identd daemons do not do this by default.

Server privileges

Not used on Solaris, where the privilege API is used instead.
#server identities 
user.libwrap: libwrap

No special privileges are required to use identd based authentication. The Barefoot administrator should however specify a separate username with the user.libwrap keyword, if the server is otherwise started as root.

Example method usage

#authentication methods
clientmethod: rfc931
#allow connections from user 'webuser' on internal 192.0.2.0/24 network
#to webserver 'www.example.org'
client pass {
        from: 192.0.2.0/24 to: eth0 port = http
        bounce to: www.example.org port = http
        log: error # connect disconnect iooperation 
        protocol: tcp
	method: rfc931
}

The configuration above will only pass connections to webserv.example.org as long as the identd lookup succeeds and returns a username that is also present on the machine the Barefoot server runs on. The rfc931 method is specified twice, once after the clientmethod keyword and once in the client pass rule. It is further possible to specify a user or group keyword to limit access to a specific group of users or a single user, instead of all users on the machine the Barefoot server runs on.


Copyright © 1998-2018 Inferno Nettverk A/S