man Net::Sident () - Perl extension for Secure Ident Protocol
NAME
Net::Sident - Perl extension for Secure Ident Protocol
SYNOPSIS
use Net::Sident qw(set_authtype set_authflag lookup query); $status = set_authtype ("KERBEROS_V4", "/etc/leland/ident.srvtab"); $status = set_authflag ("USER-INTERACTION", "YES");
($requester_port, $responder_port, $identifier, $opsys, $charset, $status) = lookup (fileno (STDIN), $timeout); ($requester_port, $responder_port, $identifier, $opsys, $charset, $status) = query ($responder_ip, $responder_port, $requester_ip, $requester_port, $timeout);
DESCRIPTION
Net::Sident is a simple functional interface to the C libsident library. The set_authtype call should be used before any attempts to use any other part of the library.
There are two lookup methods: lookup() taks a file number and timeout as arguements, and query takes an IP address (as a string) and port number of both the requester and responder, plus the timeout parameter. If you have an open file descriptor to the remote client, lookup() is the simplest interface; query() is only needed in more complicated cases.
Here's an an example. This asks for information about the client connecting to port 25 on localhost, where the client's port is 8000. A 30 second timeout is set:
query ("127.0.0.1", 25, "127.0.0.1", 8000, 30);
If the connection from the client is on standard input of the Perl script (typical if, for instance, the Perl script is being run out of inetd), the following is equivalent and much simpler:
lookup (fileno (STDIN), 30);
Additional flags can be set or retrieved with set_authflag() and get_authflag(). The status returned by Net::Sident will be one of the following constants, all of which are expored by the Net::Sident module:
IDENT_AUTH_FAIL IDENT_AUTH_NOT_SUPPORTED IDENT_AUTH_OKAY IDENT_BUFFER_SIZE IDENT_FLAG_NOT_SUPPORTED IDENT_HIDDEN_USER IDENT_INTERNAL_ERR IDENT_INVALID_FLAG_VALUE IDENT_INVALID_PORT IDENT_INVALID_REQ_INFO IDENT_INVALID_RESP_INFO IDENT_MAX_ERROR IDENT_MUTUAL_AUTH_FAIL IDENT_NO_MUTUAL_AUTH IDENT_NO_USER IDENT_READ_TIMEOUT IDENT_SYSTEM_ERROR IDENT_TIMEOUT IDENT_UNKNOWN_ERROR IDENT_USER_CANT_AUTH IDENT_USER_WONT_AUTH
For more information on the meaning of these constants, see sident(3). The returned identifier will normally be the Kerberos identity of the remote user, a colon, and then the local Unix username of the remote user. Note that the latter is rarely particularly useful.
WARNING
The S/Ident protocol implemented by this package is inherently vulnerable to an active man-in-the-middle attack. If an attacker can interpose themselves into a network connection initiated by a victim and both impersonate that victim and selectively control which of their packets reach a server using S/Ident, the attacker can make use of the victim's authentication credentials. The attacker cannot initiate the session, only hijack an existing authenticated session.
Because of this, you should very carefully analyze the security requirements of any service for which you're considering deploying S/Ident authentication. Due to the requirements of the attack, S/Ident may still be appropriate for very light authentication or in secure network environments, but should not be used for general authentication on untrusted networks.
SEE ALSO
AUTHORS
Originally written by Booker C. Bense <bbense@stanford.edu>. Currently maintained by Russ Allbery <rra@stanford.edu>.