goczmq icon indicating copy to clipboard operation
goczmq copied to clipboard

Published 20 hours ago verified publisher icon zeromq

Support for authentication

Open soupdiver opened this issue 7 years ago • 5 comments

I currently try to implement the "Ironhouse pattern" mentioned here. The example C code

    //  Start the authenticator and tell it do authenticate clients
    //  via the certificates stored in the .curve directory.
    zauth_t *auth = zauth_new (ctx);
    assert (auth);
    zauth_set_verbose (auth, true);
    zauth_allow (auth, "127.0.0.1");
    zauth_configure_curve (auth, "*", ".curve");

I try to figure out how I would the call to zauth_configure_curve with this go package. I found the certstore strcut which would be part of this, but it's not used anywhere else in the code.

Am I missing something or is this feature not (yet) implemented?

soupdiver avatar Dec 18 '17 15:12 soupdiver

@soupdiver is this still relevant?

erkki avatar Jan 15 '20 08:01 erkki

@soupdiver is this still relevant?

I don't know... I guess my question still stands but I'm not working on this anymore 😅

soupdiver avatar Jan 15 '20 08:01 soupdiver

Also wondering about this, if a server needs to authenticate allowed client public keys, is there any way to do this using these bindings? From docs:

This gives us three possible security models ...

  • Where all clients share the same public key, that the server checks. In this case access to the server will be restricted to authorized clients. This fits the model of a private network over public infrastructure. Note that the client public key can be stolen, but cannot be used unless an attacker also steals the client secret key.
  • Where each client has its own key, that the server checks. In this case the server can grant access to clients according to their authenticated identity. Again, an attacker may steal the client public key but cannot do anything with this unless it can also steal the client's secret key.

izzymg avatar Feb 14 '20 09:02 izzymg

To answer my own question: auth.Curve("dir/with/allowed_certs") seems to do the trick - if you want to allow any clients, replace with "*". Otherwise any public certificates will be read from that directory on an incoming request in order to verify.

izzymg avatar Feb 14 '20 11:02 izzymg

@izzymg to have custom logic for this, you would need to allocate a rep socket to "inproc://zeromq.zap.01”, as per https://rfc.zeromq.org/spec/27/ . Then you can use custom logic to answer the ZAP query (authenticate against a db, etc)

erkki avatar Feb 15 '20 12:02 erkki