brnstnd@stealth.acf.nyu.edu (01/06/90)
As specified by RFC 931, an Authentication Server on machine X listens at TCP port 113. Someone on machine Y connects and asks about another X-Y connection; the Authentication Server reports the name of the user on the X side. This has obvious applications to SMTP and NNTP: forgery above the TCP level becomes impossible. (For security below TCP, you need Kerberos or an equivalent system.) I've implemented the Authentication Server and related utilities, and I'd like to gamma test the final (BSD) versions before releasing them to the net. There are three programs: authd - the server itself authtcp - a general TCP connector, understands authd attachport - a single-port inetd (sort of), understands authd The programs don't need to be setuid root, but they do need their own uid and directory. You don't need to change the kernel to run these programs; this means that old applications won't suddenly create authenticated connections. You have to update programs to take advantage of the extra security. I don't feel guilty about this: a communications program that uses authtcp or attachport doesn't need to understand TCP at all, so the whole system becomes much more portable and modular. My one-line mconnect clone illustrates the idea. Anyway, if you're interested, write me. ---Dan