[Standards] Loopback Authentication

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Wed Jan 31 20:48:13 CST 2007 

Hi folks,

I'd like to find a simple method for a client to log into an XMPP server 
without a password, when the client and server are running on the same 
machine.

The primary use-case I have in mind is for a server configuration program to 
connect to a running server instance.  If you are already ssh'd into some 
system so that you can configure your XMPP server, you don't want to have to 
type *another* password to run the command-line configurator.  It should 
already know who you are and it should just work.  Like a simplified single 
sign-on.  Please, no Kerberos or extra daemons and things.  I just want a 
simple, local machine only, method.

Here's a good URL on the topic:
http://www.gridforum.org/mail_archive/security-wg/2002/Archive/msg00850.html

I bring this up on the Standards list, because I'd like to put together a spec 
for this kind of authentication, and maybe it should be standardized.  I'm 
also curious about the best way to go about designing such an authentication 
mechanism.

An an example, in Linux, it is possible to inspect /proc/net/tcp to determine 
the uid of a given TCP connection.  The XMPP server could look up a peer 
address/port in this table.  The client could then authenticate with SASL 
EXTERNAL, since the server already knows who it is.  This is just a rough 
example, I don't know if it is foolproof, but you get the idea.  Another idea 
may be for the client to drop a file in /var, and the server can check the 
file ownership to validate the client.  Some mechanisms may require more 
steps than others, or require attributes to be exchanged over XMPP.

Unfortunately, there is no clean cross-platform solution for this kind of 
thing.  Depending on how many platforms we'd want loopback authentication to 
work on, we could end up with 3 or 4 mechanisms.  Do we want to make a 
handful of new SASL mechanisms? (putting loopback auth on the level of SASL) 
Or would it be better to design our own loopback handshake protocol and then 
always follow-up with SASL EXTERNAL? (putting loopback auth on the level of 
starttls)

-Justin

More information about the Standards mailing list