authtcp

Section: User Commands (1)
Index Return to Main Contents

NAME

authtcp - create a locally authenticated TCP connection

SYNTAX

authtcp [ -dn ] [ -plocalport ] [ -rRxXv ] [ -ACHUVW ] inetaddr tcpport program [ arg ... ]

DESCRIPTION

authtcp creates a TCP connection to Internet host inetaddr at port tcpport, then runs program with the specified arguments. The local TCP port may be given as localport, or authtcp will assign one.

Until program exits, authd(8) will report that the user owns the TCP connection. Hence the other end of the connection can verify the identity of this end, modulo the lack of Internet security.

inetaddr can be fully specified as a dotted Internet address, or given as a domain name. tcpport can be fully specified as a decimal port number, or given as a service name.

authtcp makes the connection available to program as a socket in file descriptor 6, leaving all other file descriptors intact.

Options ACHUVW print the authorship notice, copyright notice, help notice, short usage summary, version number, and warranty information respectively.

authtcp has several flags:

-dn: Provide the connection in file descriptor n, rather than the default descriptor, 6. If n is not specified, authtcp will open the connection in the first available file descriptor and pass that number in place of the first argument to program that contains solely an equals sign (if there is one).
-plocalport: Attempt to use localport as the local TCP port number. This may fail if that port number is out of range (usually 1-65535), or if another process is using that port (or has used it very recently). Ports 1 through 1023 are generally reserved for root processes, and ports above 50000 are generally reserved for user servers. If you specify -p0 (default), authtcp will assign a number. Several instances of -p defer to the last.
-X: Do not attempt to locally authenticate the connection; just set up the connection and run program.
-x: Locally authenticate the connection (default).
-r: Attempt to determine the identity of the other end of this connection through the remote Authentication Server (default). authtcp will place the identity into environment variable REMOTE, with the form user@in.et.ad.dr where user is a string giving the user name and in.et.ad.dr is a numerical Internet address. If the other end is not authenticated, user will be blank. Note that user may contain @ signs; REMOTE should be parsed from right to left. authtcp also sets environment variable PROTO to the string TCP.
-R: Do not remotely authenticate.
-v: Verbose: Print a message when the connection is established. Also, report unusual termination of program.

If program terminates normally, authtcp will terminate with the same exit code. Otherwise it will terminate with exit code 1.

DIAGNOSTICS

do not understand inetaddr: You probably specified a domain name address that authtcp can't decode.
cannot execute: authtcp is unable to execute program.
cannot unlink authentication entry: This should never happen; if it does, report the problem to your system administrator and make sure the entry is removed.
cannot bind local port: You probably specified a protected or out-of-range port with If you didn't specify and this message appears without a number, all TCP ports are in use. Report this to your system administrator.
cannot confirm connection: authtcp is unable to access TCP status information for the connection. This shouldn't happen; let your system administrator and travel agent know if it does.
cannot allocate environment: There's so little memory available that authtcp is unable to find space for the REMOTE and PROTO environment variables. If REMOTE and PROTO are in the environment when authtcp starts, this can't happen, and authtcp will run just a tiny bit faster. (On the other hand, most other programs will run a tiny bit slower.)
cannot connect: Self-explanatory.
connected to: Self-explanatory.
killed by signal: Self-explanatory.
cannot authenticate: authtcp is not set up correctly.
local port locked: authtcp is not set up correctly.
cannot setreuid: This should never happen.
cannot create socket: This shouldn't happen, unless you have too many files open.
cannot use file descriptor: This should never happen.
cannot get socket name: This shouldn't happen.

MACHINES

authtcp has been tested on an Astronautics ZS-2 running ZSUnix, a Sun 3 running SunOS, a Sun 4 running SunOS, a Convex C-210 running Convex UNIX, and several other machines.

FILES

/usr/etc/auth/tcp/*

BUGS

None known.

RESTRICTIONS

If program closes the connection long before exiting, another user can with a little effort make the same connection and pretend to be the user running authtcp. Hence program should exit soon after closing the connection. (Within several seconds is usually good enough.) A slightly more subtle security problem is that a program may set up a connection under authtcp, break the connection without exiting, and wait for a victim program to make the same connection. If the attacker chose the correct local port number, there are two possibilities: Either the victim uses the authentication mechanism and will fail to connect, or the victim does not understand the mechanism and will be misrepresented by authd. As of version 1.5, authtcp closes both of these holes, by keeping the connection open until program exits. Hence program must not depend upon the connection being closed before it exits.

authtcp's most important function is to create a locally authenticated connection; remote authentication is useful but can be performed by program. It is sometimes difficult to explain that the auth in authtcp stands for local, not remote, authentication.

If gethostbyname(3) doesn't understand the Domain Name Server, authtcp won't either.

authtcp should try all the possible addresses returned by gethostbyname(3); it only tries the first.

If program passes the connection to another process and exits, authentication will be lost.

VERSION

authtcp version 2.1, dated April 18, 1990.

AUTHOR

This document was created by man2html, using the manual pages.
Time: 06:16:32 GMT, December 12, 2024