Patches for saned/net/scanimage/user-authorization....

From: Jochen Eisinger (
Date: Fri Nov 17 2000 - 02:35:23 PST

  • Next message: mh: "QuiteInsane"

    Hi all!

    Here are some patches I'd propose to include into SANE:

    SANE Standard (then 1.0.2)

    doc/sane.tex include/sane/sane.h:
            * SANE_MAX_USERNAME_LEN & SANE_MAX_PASSWORD_LEN are now 128 chars
    (instead of 256)

      system routines like getpasswd() just allow 128 chars... if we like to
    use them, we have to restrict ourselves to 128 chars

    doc/net.tex backend/net.c:
            * the SANE_NET_AUTHORIZE RPC can be interpreted in two different ways.
    If a backend uses the auth_callback the sane_call (sane_open,
    sane_control_option, sane_start) could fail, the frontend sends
    username/password and restarts the sane_call (HTTP-Style). Or the
    frontends just answers the username/password and the original sane_call
    continues (Callback-Style).

    Neither worked with net.c... I've changed this to the Callback-Style
    (which works now)


    the biggest problem with SANE user authorization is that the password is
    transmitted in plain-text. To avoid this Andreas Beck, Oliver Rauch and
    myself developed the following idea...

    the "old" way is this:

    1. backend (saned) requests a username/password for resource "res"

    2. the frontend (xsane & frontend/test.c is capable of doing this) asks
    the user for his or her username/password and sends them to the backend
    (in plain-text)

    3. the backend compares the res/username/password combination with a
    password-file, etc...

    the "new" way is:

    1. the backend requests a username/password for resource "res", but it
    appends the string "$MD5$" and a random string to the resource-name

    2.1. a dumb frontend displays this "strange" resource-name, asks the
    user for his name, etc... and returns all in plain-text

    2.2 a intelligent frontend displays only the "res", asks the user for
    his name/password and returns username and the MD5 digest of
    randomstring + password

    if the password is "mypass" the returned password would be

    md5sum ("iamarandomstringmypass") = ea1075c68434ca93b98b74ae1fcb4842

    To signal the backend that the frontend used MD5, it prepends the md5
    digest of the password with the string "$MD5$". In this case, it would


    3.1 If the frontend receives a plain-text reply, it compares the
    username/password with its list

    3.2 it the frontend receives a md5-reply, it calculates the md5 of the
    password it has in its list and compares it with the password received
    from the frontend


    This has the advantage, that the password isn't transmitted over the
    network... a disadvantage is that the passwords are stored in plain-text
    on the server...

    To make it possible to include this kind of user-authorization easily,
    there is a new interface:

    lib/md5.c include/md5.h include/sane/sanei_auth.h sanei/sanei_auth.c:

            * These files implement the above proposed user authentification. A
    backend just has to call

            sanei_authorize ("resource-name", STRINGIFY(BACKEND_NAME),

      if a file SANEI_CONFIG_DIR/BACKEND_NAME.users exist containing lines
    of the form


    the sanei_authorize calls the auth_callback and checks whether the user
    is allowed to access this resource. If the authorization fails, the
    procedure returns SANE_STATUS_ACCESS_DENIED in all other cases it
    returns SANE_STATUS_GOOD.

    The random-string used by the sanei_authorize is the PID of the backend,
    the time(NULL) and some random bytes taken from /dev/urandom (or from
    rand() if /dev/urandom doesn't exist - this is checked by the configure

    frontend/scanimage.c frontend/saned.c doc/ doc/

    furthermore, I've modified scanimage to handle such requests... if a
    file ~/.sane/pass exists, it is used to automate the process
    (permissions must be 0600 at least, the format is the same as for
    sanei_authorize). To make sure the frontend isn't replying to old
    unsecures password-request, you can use the command-line option

    saned is modifed to restrict access for certain backends... if a file
    SANE_CONFIG_DIR/saned.users exists (contain lines of the form



    mustek:henning:better secret!!!

    ) only these users are allowed to access these backends... note that all
    other backends can be accessed by everybody.


    I hope I made myself clear...

    please send feedback!!

    I've attached a tar-ball of all modified files... (I modified the
    version available from CVS at Nov-16 (3 pm CET)

    -- jochen

    Source code, list archive, and docs:
    To unsubscribe: echo unsubscribe sane-devel | mail

    This archive was generated by hypermail 2b29 : Fri Nov 17 2000 - 09:26:07 PST