Bug 139956 - authd missing Java sockets
Summary: authd missing Java sockets
Alias: None
Product: Fedora
Classification: Fedora
Component: authd   
(Show other bugs)
Version: 3
Hardware: i686 Linux
Target Milestone: ---
Assignee: Eido Inoue
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-11-18 22:13 UTC by Ian Pilcher
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-11-19 20:45:22 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
server program (1.19 KB, text/plain)
2004-11-18 22:14 UTC, Ian Pilcher
no flags Details
C client program (1.01 KB, text/plain)
2004-11-18 22:21 UTC, Ian Pilcher
no flags Details
Java client program (464 bytes, text/plain)
2004-11-18 22:22 UTC, Ian Pilcher
no flags Details

Description Ian Pilcher 2004-11-18 22:13:23 UTC
Description of problem:

As of version 1.4.2, Java defaults to using IPv6 sockets.  When a
Java application connects to an IPv4 address, it creates an IPv6
connection to a "IPv4-mapped address" of the form ::ffff:w.x.y.z
(see http://java.sun.com/j2se/1.4.2/docs/guide/net/ipv6_guide/).
If authd receives a query from an IPv4 program on the other end of
such a socket, it only searches /proc/net/tcp.  Since the socket is
not listed there, it reports an error.

authd needs to be changed to also look for IPv4 sockets in
/proc/net/tcp6, using their IPv4-mapped addresses.

Version-Release number of selected component (if applicable):


How reproducible:

I have created a very simple client/server program to demonstrate this
problem.  I will attach three files:

  * sockserv.c is the server
  * sockcl.c is a C client
  * SocketClient.java is a Java client

The server listens on port 9999, accepts a single connection, and
prints anything that is typed on the client.  The Java client requires
a single parameter, the name or address of the server (the port is
hardcoded).  Both the server address and the port are hardcoded in the
C client, so you'll probably need to edit it.

I recommend using two separate systems for testing; things can get a
little confusing when running both the server and the Java client on a
single system; you'll need to open port 9999 in the firewall on the
server system to do this.

Once you set everything up and connect with the C client, you'll be
able to see the socket in /proc/net/tcp (or 'netstat --inet') on both
systems, as you would expect.  If you're running authd on the client
system, it will work as expected.  You'll need to use Ctrl-C to exit
the client, at which point the server should also exit.

Now restart the server and connect with the Java client.  Note that
the socket appears in /proc/net/tcp ('netstat --inet') on the server
system.  On the client system, however, the socket shows up only in
/proc/net/tcp6 ('netstat --inet6'), so authd won't find it.

Actual results:

See above.

Expected results:

authd should search /proc/net/tcp6, using IPv4-mapped addresses, find
the socket, and return the appropriate user information.

Additional info:

Note that this doesn't just authd-based authentication over the
network.  It also breaks it over the loopback adapter, which is the
only type of socket available to Java applications.  (For example, a
JDBC connection to a PostgreSQL database.)

Comment 1 Ian Pilcher 2004-11-18 22:14:26 UTC
Created attachment 106994 [details]
server program

Comment 2 Ian Pilcher 2004-11-18 22:21:46 UTC
Created attachment 106996 [details]
C client program

This uses GNU readline, so you will need to compile it with
'gcc -O2 -Wall -o sockcl sockcl.c -lreadline -lcurses'.

Comment 3 Ian Pilcher 2004-11-18 22:22:13 UTC
Created attachment 106997 [details]
Java client program

Comment 4 Eido Inoue 2004-11-19 19:07:29 UTC
authd DOES support IPv4-mapped IPv6 addresses, using the documented
"--mapped=ipv6" which pairs the specified top 96 bits with the lower
32 bits to match.

Granted, this parameter is not enabled by default in the xinetd
config, but the capability is there.

Comment 5 Ian Pilcher 2004-11-19 20:34:18 UTC
When I try to use "--mapped=ipv6", I just get an error message.

[pilcher@home ~]$ rpm -q authd
[pilcher@home ~]$ netstat --inet
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address      
tcp        0      0 home:9999           
tcp        0      0 localhost.localdomain:33596
localhost.localdomain:ssh   ESTABLISHED
udp        0      0 localhost.localdo:32771 localhost.localdo:32771
[pilcher@home ~]$ /usr/sbin/in.authd 33596,22
33596 , 22 : USERID : UNIX :pilcher
[pilcher@home ~]$ /usr/sbin/in.authd --verbose 33596,22
33596 , 22 : USERID : OTHER :pilcher:500,2004-11-19T20:35:54Z(Fri
02:35:54 PM -0600/CST),|33596,|22
[pilcher@home ~]$ /usr/sbin/in.authd --mapped=ipv6 33596,22
/usr/sbin/in.authd: invalid argument to --mapped: ipv6

Comment 6 Eido Inoue 2004-11-19 20:45:04 UTC
comment 5: you're taking the help/docs too literally; substitute the
word "ipv6" with a valid (that glibc would understand-- because it
uses glibc ipv6 address parse routines to decode i)) ipv6 address that
contains the top 96 bit prefix you want to mask against.

Note You need to log in before you can comment on or make changes to this bug.