[zeromq-dev] curveZMQ: authentication / ability to identify peers

Pieter Hintjens ph at imatix.com
Sun Nov 15 21:32:58 CET 2015


It's not simple and I don't have the examples yet.

zmq_msg_gets() lets you know who a message came from. You will want to
use the User-Id value, or another value provided by the ZAP handler,
taken from the client certificate.

On Sun, Nov 15, 2015 at 7:27 PM, Walter B. Rasmann <zeromq.wbr at gmail.com> wrote:
> First of all: Thanks for your reply!
>
> I have read the examples at http://hintjens.com/blog:49 and I like them.
> What I miss is a way for my application to distinguish between clients.
> Typically "authentication" implies the ability to know "who" exactly is
> connecting to you or who you are connecting to.
>
> Currently I can authorize peers to connect to me by putting their public key
> into my certificate store directory. So I know all peers, but in my
> application code I can't know which peer is connected to me and can't use
> this information for logging, authorization etc. At least I haven't found a
> way to do that.
>
> On Sun, Nov 15, 2015 at 6:56 PM, Chuck Price <chuck at peloton-tech.com> wrote:
>>
>> CurveZMQ provides mutual authentication already. The client provides its
>> public key during connection establishment. If the server is authenticating
>> clients (you can choose not to) it checks that public key against public
>> keys it has registered.
>>
>> You have to implement the initial registration of clients yourself, in a
>> secure fashion. Either you generate the client’s key pair and provide it to
>> the client securely, or the client generates its key pair and provides it to
>> the server securely. In either registration scenario, you have to
>> pre-establish trust in some other way, else the keys you are exchanging
>> can’t be trusted.
>>
>> -chuck
>>
>> > On Nov 15, 2015, at 9:43 AM, Walter B. Rasmann <zeromq.wbr at gmail.com>
>> > wrote:
>> >
>> > I'm considering to use curveZMQ for authentication and connection
>> > security. Unfortunately I haven't found a way to identify connecting
>> > clients. That would be needed in order to see if they are authorized to do
>> > stuff on the server, which seems to be a typical use case whenever
>> > authentication is used.
>> >
>> > My questions are:
>> >
>> > Would it be possible to extend the zeroMQ API to enable reading out
>> > connection information which can be used for authentication?
>> >
>> > The following might be quite useful in this context:
>> >   - authentication method
>> >   - peer IP address
>> >   - peer verified public key
>> >   - peer verified username
>> >
>> > Are there any plans to implement something like that?
>> >
>> > Would that be considered a useful feature?
>> > _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org
>> > http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>



More information about the zeromq-dev mailing list