Path: utzoo!utgpu!watserv1!watmath!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!sdd.hp.com!spool2.mu.edu!uunet!mcsun!hp4nl!nikhefh!e07
From: e07@nikhefh.nikhef.nl (Eric Wassenaar)
Newsgroups: comp.protocols.tcp-ip.domains
Subject: Internet address authentication (was: PTR records ...)
Message-ID: <1119@nikhefh.nikhef.nl>
Date: 16 Jan 91 01:39:04 GMT
Sender: e07@nikhef.nl (Eric Wassenaar)
Organization: Nikhef-H, Amsterdam (the Netherlands).
Lines: 36


If you want to do some internet address authentication,
the following is a simple way to proceed.

It is obvious that authentication must NOT be done within
gethostbyaddr(). This is, and should be, only an interface
to interrogate the nameserver.

You don't need to implement the authentication checking in
individual daemons like rlogind, telnetd, ftpd, etc.
It can be done at an even higher level, and it does not
require any source code adaptation.

You write a little program of your own, call it tcpconn,
and let it be invoked by inetd for every tcp connection.
This program can do a getpeername(), gethostbyaddr(), and
gethostbyname() to check if the peer address maps to a host,
and if the address belongs to that host, if you are very
security minded. You can also log connections via syslog.
If you decide to accept the connection, the program execs
the 'real' daemon, given by argv[0].
You may even adapt the strategy depending on the service.

Your inetd.conf has entries like:
# service mode	proto	state	user	pathname	program
ftp	 stream	tcp	nowait	root	/etc/tcpconn	ftpd
telnet	 stream	tcp	nowait	root	/etc/tcpconn	telnetd
login	 stream	tcp	nowait	root	/etc/tcpconn	rlogind
finger	 stream	tcp	nowait	nobody	/etc/tcpconn	fingerd

Eric Wassenaar
-- 
Organization: NIKHEF-H, National Institute for Nuclear and High-Energy Physics
Address: Kruislaan 409, P.O. Box 41882, 1009 DB Amsterdam, the Netherlands
Phone: +31 20 592 0412, Home: +31 20 909449, Telefax: +31 20 592 5155
Internet: e07@nikhef.nl