[zeromq-dev] Authentication with curve

Pieter Hintjens ph at imatix.com
Wed Jan 1 12:30:48 CET 2014

Oops. I'm wrong... the client metadata (including identity) is not
sent until after authentication. There is no way for the ZAP handler
to authenticate based on that. I'll think about how to solve this...

On Wed, Jan 1, 2014 at 12:28 PM, Pieter Hintjens <ph at imatix.com> wrote:
> The ZAP handler gets the identity of the client (along with all
> metadata) and can validate it. So you can use client identity + public
> key authentication, and then each message will report the
> authenticated sender.
> On Tue, Dec 31, 2013 at 7:08 PM, Drew Crawford <drew at sealedabstract.com> wrote:
>> I think I can supply a patch that is at least good enough to get cleaned up and merged by a zmq dev.  The open question at this point is which way the correlation should get resolved.  One possibility is to populate the ZAP identity with the router identity instead of the empty string.  Another possibility is to populate the userid from ZAP somewhere in the router.  There are other possibilities that have not occurred to me.
>> I know enough to make a run at any of these, but not enough to identify the best solution from the set of options.  I’m hoping a dev can pop out of the woodwork and identify which solution is the one that should be tried.
>> Drew
>> On Dec 31, 2013, at 11:51 AM, Nicolas Delaby <ticosax at free.fr> wrote:
>>> On 12/31/2013 06:30 PM, Drew Crawford wrote:
>>>> Hi Nicolas,
>>>> I’m reasonably sure we have the same problem, and I’ve gotten somewhat further along without solving it.  We may want to compare notes.  Take a look at my thread "How do I find out which ZAP user I'm talking to?”.
>>> Hi Drew,
>>> Yes indeed, we are facing same issue.
>>> So far I'm using an ugly hack assuming that the immediate next recv()
>>> contains the identity of the peer I just authorized within my
>>> zap_handler. This code is not used yet on production, so I believe it
>>> works only by chance. I wanted to have confirmation from zeromq dev.
>>> My attitude on open-source project is to come with a pull request when
>>> my needs are not fulfilled. But unfortunately C++ is way far beyond my
>>> skills. So I hope to find here new ideas I didn't thought about it.
>>> Your testimony doesn't make me feel more confident :)
>>> As an ultimate workaround I will probably fallback on zmq.PLAIN + stunnel.
>>> Cheers,
>>> Nicolas
>>> _______________________________________________
>>> zeromq-dev mailing list
>>> zeromq-dev at lists.zeromq.org
>>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev

More information about the zeromq-dev mailing list