Hi all!
Here are some patches I'd propose to include into SANE:
SANE Standard (then 1.0.2)
doc/sane.tex include/sane/sane.h:
* SANE_MAX_USERNAME_LEN & SANE_MAX_PASSWORD_LEN are now 128 chars
(instead of 256)
system routines like getpasswd() just allow 128 chars... if we like to
use them, we have to restrict ourselves to 128 chars
doc/net.tex backend/net.c:
* the SANE_NET_AUTHORIZE RPC can be interpreted in two different ways.
If a backend uses the auth_callback the sane_call (sane_open,
sane_control_option, sane_start) could fail, the frontend sends
username/password and restarts the sane_call (HTTP-Style). Or the
frontends just answers the username/password and the original sane_call
continues (Callback-Style).
Neither worked with net.c... I've changed this to the Callback-Style
(which works now)
doc/net.tex:
the biggest problem with SANE user authorization is that the password is
transmitted in plain-text. To avoid this Andreas Beck, Oliver Rauch and
myself developed the following idea...
the "old" way is this:
======================
1. backend (saned) requests a username/password for resource "res"
2. the frontend (xsane & frontend/test.c is capable of doing this) asks
the user for his or her username/password and sends them to the backend
(in plain-text)
3. the backend compares the res/username/password combination with a
password-file, etc...
the "new" way is:
=================
1. the backend requests a username/password for resource "res", but it
appends the string "$MD5$" and a random string to the resource-name
("res$MD5$iamarandomstring")
2.1. a dumb frontend displays this "strange" resource-name, asks the
user for his name, etc... and returns all in plain-text
2.2 a intelligent frontend displays only the "res", asks the user for
his name/password and returns username and the MD5 digest of
randomstring + password
if the password is "mypass" the returned password would be
md5sum ("iamarandomstringmypass") = ea1075c68434ca93b98b74ae1fcb4842
To signal the backend that the frontend used MD5, it prepends the md5
digest of the password with the string "$MD5$". In this case, it would
return
username:$MD5$ea1075c68434ca93b98b74ae1fcb4842
3.1 If the frontend receives a plain-text reply, it compares the
username/password with its list
3.2 it the frontend receives a md5-reply, it calculates the md5 of the
password it has in its list and compares it with the password received
from the frontend
===========
This has the advantage, that the password isn't transmitted over the
network... a disadvantage is that the passwords are stored in plain-text
on the server...
To make it possible to include this kind of user-authorization easily,
there is a new interface:
lib/md5.c include/md5.h include/sane/sanei_auth.h sanei/sanei_auth.c:
* These files implement the above proposed user authentification. A
backend just has to call
sanei_authorize ("resource-name", STRINGIFY(BACKEND_NAME),
auth_callback);
if a file SANEI_CONFIG_DIR/BACKEND_NAME.users exist containing lines
of the form
resource:username:password
the sanei_authorize calls the auth_callback and checks whether the user
is allowed to access this resource. If the authorization fails, the
procedure returns SANE_STATUS_ACCESS_DENIED in all other cases it
returns SANE_STATUS_GOOD.
The random-string used by the sanei_authorize is the PID of the backend,
the time(NULL) and some random bytes taken from /dev/urandom (or from
rand() if /dev/urandom doesn't exist - this is checked by the configure
script)
frontend/scanimage.c frontend/saned.c doc/saned.man doc/scanimage.man:
furthermore, I've modified scanimage to handle such requests... if a
file ~/.sane/pass exists, it is used to automate the process
(permissions must be 0600 at least, the format is the same as for
sanei_authorize). To make sure the frontend isn't replying to old
unsecures password-request, you can use the command-line option
--accept-md5-only.
saned is modifed to restrict access for certain backends... if a file
SANE_CONFIG_DIR/saned.users exists (contain lines of the form
backend:username:password
like
mustek_pp:jochen:mysecret
mustek_pp:guest:nosecret
mustek:henning:better secret!!!
) only these users are allowed to access these backends... note that all
other backends can be accessed by everybody.
hmm...
I hope I made myself clear...
please send feedback!!
I've attached a tar-ball of all modified files... (I modified the
version available from CVS at Nov-16 (3 pm CET)
-- jochen
-- Source code, list archive, and docs: http://www.mostang.com/sane/ To unsubscribe: echo unsubscribe sane-devel | mail majordomo@mostang.com
This archive was generated by hypermail 2b29 : Fri Nov 17 2000 - 09:26:07 PST