Example: Add authentication to the TI-RPC service

These code snippets display how the authentication system works in RPC.

System is the only authentication method that is provided on i5/OS™. The following information is set up and passed from the client to the service with every clnt_call(). In the following code snippets, notice that rpc_call() is not sufficient when using authentication information , because it uses authnone (an empty authentication token) as the default:

aup_time - authentication information timestamp
aup_machname - the hostname of the remote client
aup_uid - the UID of the remote user of the client
aup_gid - the primary GID of the remote user
aup_gids - an array of the secondary groups of the remote user

The authentication information comes directly into the service as part of the remote request. It is up to the server to parse this information and verify that the client is from a trusted machine and a trusted user. If the authentication type is incorrect, or too weak for the server to accept, it sends back an error, using svcerr_weakauth(), to indicate this to the client.

Note: By using the code example, you agree to the terms of the Code license and disclaimer information.

#include <sys/types.h> /* needed for gid_t and uid_t */
#include <stdlib.h>    /* misc. system auth APIs     */
#include <errno.h>

struct authsys_parms *credentials;  /* authentication information */
char *remote_machine;               /* machine name (from the credentials) */
uid_t remote_user;                  /* remote user's UID (from credentials) */

/* make sure we got the correct flavor of authentication */
if (request->rq_cred.oa_flavor != AUTH_UNIX) {
   /* if not, send back a weak authentication message and return */
   svcerr_weakauth(svc);
   return;
}

/* get our credentials */
credentials = (struct authsys_parms *)(request->rq_clntcred);

/* get the remote user's GID */
remote_user = credentials->aup_uid;

/* get the remote hostname of the client */
remote_machine = credentials->aup_machname;

/* check to see if this machine is "trusted" by us */
if ((strcmpi("remote1", remote_machine) != 0) &&
    (strcmpi("remote2", remote_machine) != 0)) {

   /* not from a machine we trust */
   /* send back an authentication error the client */
   svcerr_weakauth(svc);
   return;

} /* end of if (!trusted hostname) */

else {

   /* now check the user id for one we trust */
   /* information can be gotten from DSPUSRPRF */
   if ((remote_user != 568) &&
       (remote_user != 550) &&
       (remote_user != 528)) {

      /* not a user id we trust */
      /* send back an authentication error the client */
      svcerr_weakauth(svc);
      return;

   } /* end of if (!trusted uid) */

} /* end of else (trusted hostname) */

/* we fall out of the loop if the hostname and uid are trusted */