[zeromq-dev] Any way to get key used for router connection

Arnaud Kapp kapp.arno at gmail.com
Mon Aug 17 16:48:16 CEST 2015


Hello,

There is an easy way to do what you want, but it isn't obvious at
first. ZAP is actually allowed to set a "User-Id" meta-data property
for all messages from a connection.
This means that your ZAP code can chose to set the curve key as the
user-id for the connection.

To set a user-id property from the ZAP handling code, you simply have
to specify it in the ZAP reply you write. You will then be able to
retrieve the user-id (which would be the curve public key, if you
chose so) by doing something like zmq_msg_gets(msg, "User-Id");

Hope this helps.

On Mon, Aug 17, 2015 at 4:03 PM, Charles West <crwest at ncsu.edu> wrote:
> Hey Pieter,
>
> Thank you for taking the time to respond.
>
> I have read both of the blog entries, the source for zauth and based my code
> off of the specification for the ZAP protocol.  The closest/most relevant
> documentation I saw was your discussion with Stephen Eley in the "Confirm
> authentication and retrieve metadata?" thread.
>
> If I may ask, is there some obvious way that I am missing to get the key
> associated with a connection with a Router in ZMQ 4.0.4 (the zmq available
> in the Ubuntu repositories)?  Alternatively, is there any good way to figure
> out which router connection a ZAP request refers to?
>
>
> I apologize if I have missed something obvious, but the examples I have seen
> seem focused on go/no go authentication rather than keys with different
> levels of permissions.
>
> Thanks,
> Charlie West
>
>
> On Mon, Aug 17, 2015 at 6:35 AM, Pieter Hintjens <ph at imatix.com> wrote:
>>
>> Have you studied the security examples I wrote?
>>
>> - read http://hintjens.com/blog:48 and http://hintjens.com/blog:49
>> - don't use ROUTER identity, the field is really a routing key and has
>> nothing to do with peer identity
>> - look at how CZMQ's zauth works, and look at the RFC for the ZAP
>> protocol (http://rfc.zeromq.org/spec:27)
>>
>> On Mon, Aug 17, 2015 at 5:43 AM, Charles West <crwest at ncsu.edu> wrote:
>> > Hello!
>> >
>> > I'm building the second version of a open source differential GPS
>> > sharing
>> > software (pylongps.com).  I've run into a bit of a snag though.
>> >
>> > Does anyone know of a good way to get the key associated with a CURVE
>> > router
>> > connection?  ZAP authentication can check if a key is on the whitelist,
>> > but
>> > it doesn't appear to provide more than a go/no go.  I need to be able to
>> > check the key associated with a specific ROUTER connection so that I can
>> > limit what the owner of a particular connection key can do (people with
>> > one
>> > key can't pretend to be someone else).
>> >
>> > My original idea was to use the ZMQ_IDENTITY field to set the connection
>> > ID
>> > to a superset of the connection key, then just have the ZAP handler
>> > verify
>> > the connection ID contained the key at the beginning.  Further ID
>> > processing
>> > would then be done via the connection ID at the router socket.  However,
>> > the
>> > ZMQ_IDENTITY set does not show up in the ZAP messages, so this isn't
>> > possible.  Further reading of the mailing list indicates that the
>> > ZMQ_IDENTITY isn't suppose to propagate like that anyway.
>> >
>> > The brute force solution would be to force a authentication exchange
>> > using a
>> > signing key and a nonce at the router (router sends nonce, client signs
>> > or
>> > encrypts it and sends it back).  Thats basically doing a whole handshake
>> > on
>> > top of the ZMQ_CURVE protocol, which seems rather overkill.
>> >
>> > Does anyone know of a better approach?
>> >
>> > Thanks,
>> > Charlie West
>> >
>> > _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org
>> > http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> >
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>



-- 
Kapp Arnaud - Xaqq



More information about the zeromq-dev mailing list