dante   Frontpage - Dante - Download - Status - Support - Modules - Docs - Links - Survey - GDPR
 

RFC931 Authentication

This page describes how to use RFC931/identd based authentication.

Overview

The rfc931 authentication method uses RFC931/identd to obtain a user name and increases the reliability of hostname based access control rules. Note that in most environments this is not a secure way to authenticate users. It is however available independently of the SOCKS protocol, allowing it to be used as a clientmethod before the SOCKS protocol negotiation starts, providing some additional information in the server log files.

Environment setup

The Dante server needs to be compiled with libwrap to work with this authentication method. The identd daemon will also typically need to be configured on the system the SOCKS client connects from, to return actual user names; some identd daemons do not do this by default.

Server privileges

#server identities (not needed on solaris)
user.libwrap: libwrap

No special privileges are required to use this authentication method. The server should however specify a separate username with the user.libwrap keyword if the server is started as root (this is not necessary on Solaris).

Example clientmethod usage

#authentication methods
clientmethod: rfc931
#allow connections from authenticated users on internal 192.0.2.0/24 network
client pass {
        from: 192.0.2.0/24 to: 0.0.0.0/0
	log: error # connect disconnect
        method: rfc931
}

The authentication configuration template can be used directly for rfc931, it is only necessary to specify the method name. With the rule above, no SOCKS negotiation will be done unless the rfc931 identd lookup succeeds.

The security provided by the rfc931 authentication method will not necessarily be reliable, but it does increase the amount of information that is available for logging. When available, the information from identd will be included when connect or disconnect logging is enabled.

#block connections from specified group of users
client block {
        from: 192.0.2.0/24 to: 0.0.0.0/0
	log: error connect disconnect
        method: rfc931
	group: badusers
}

Specific users or groups can be granted or denied access via the user and group keywords. The example above blocks connections from all users in the badusers group.

Example method usage

#authentication methods
method: rfc931
#generic pass statement - bind/outgoing traffic
pass {  
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error # connect disconnect iooperation
        method: rfc931
}

The authentication configuration template can be used directly for outgoing traffic, it is only necessary to specify the method name. Note again however that this is generally not be a very secure way to authenticate users.

# generic pass statement for incoming connections/packets
pass {
        from: 10.0.0.2/32 to: 0.0.0.0/0
        command: bindreply
        log: error # connect disconnect iooperation
	user: ftpd
        method: rfc931
}

The rfc931 method can also be used for the bindreply and udpreply commands. This shows one such example, which only accepts a bindreply from the user ftpd on the machine 10.0.0.2. The remote machine needs to have identd configured, and the ftpd user needs to exist in the password file on the machine running the SOCKS server.


Copyright © 1998-2024 Inferno Nettverk A/S