Authentication questions
Simon McVittie
simon.mcvittie at collabora.co.uk
Tue Feb 21 08:26:09 PST 2012
On 21/02/12 15:39, G. Blake Meike wrote:
> - When I attempt to authenticate with my system's session bus, I am
> offered ANONYMOUS as a legal authentication mechanism. It appears,
> though, that if I use it, the server immediately drops the connection
> once I send BEGIN.
I believe this may mean that the anonymous pseudo-user is authenticated
(trivially: you don't need to do anything to prove that you are the
anonymous pseudo-user), but unauthorized (it may not connect: only the
Unix/Windows user who owns the session may do that).
See, for instance, RFC 4422 "Simple Authentication and Security Layer
(SASL)" §2 "Identity Concepts" for the difference between authentication
and authorization.
> and, btw, is
> there a way to make the server accept the (totally unsafe) ANONYMOUS
> authentication mechanism?
Yes, although possibly only by modifying the source code.
> - When I look at the timestamps in the file
> .dbus-keyring/org_freedesktop_general, for instance, they do not seem
> to be, as the spec suggests, UTC seconds since the epoch. They seem
> to be off by a factor of about 1200.
It's possible that they're incorrectly using the system's monotonic
timescale (seconds of real-time since an arbitrary time, not counting
time during which the system was suspended, and continuing to "tick
upwards" even if the system's clock is corrected). That'd be a bug,
albeit one that doesn't necessarily affect many users.
(Most users of D-Bus are on Linux or FreeBSD systems where
credentials-passing works, so they don't have to use DBUS_COOKIE_SHA1
and can use EXTERNAL authentication instead; most of the remaining users
aren't trying to share a session bus across multiple machines, which is
the only reason why the timestamp should be consistently
seconds-since-epoch.)
S
More information about the dbus
mailing list