authd - authentication server daemon
tcpuid, tcpuname - find out which user owns a connection
authuser - remote authentication library

authd is an implementation of RFC 931, the Authentication Server under
BSD. RFC 931 provides the name of the user owning a TCP connection. This
helps network security: unless TCP itself is compromised, it is
impossible to forge mail or news between computers supporting RFC 931.
It also becomes much easier to trace attackers than in the current,
largely anonymous, network. authd requires no changes to current code:
every connect() and accept() is authenticated automatically, with no
loss of efficiency.

tcpuid and tcpuname are the same program, but more suitable for local
use from the command line by a user or system administrator. They show
which local user created a given TCP connection.

authuser is a library encapsulating client use of RFC 931. It talks to a
remote Authentication Server to find out the username on the other side
of a given connection.

Only root can install authd. However, most current systems are insecure
enough that any user can run tcpuid and tcpuname. authuser is meant for
use by any program.



authd version 3.01, February 7, 1991.
Placed into the public domain by Daniel J. Bernstein.
Some of the code in authd was inspired by code written by
Vic Abell, abe@mace.cc.purdue.edu, for the ofiles program.


Organization of README:

1. Files
2. Requirements
3. How to configure authd
4. How to compile authd
5. How to install authd
6. TODO list


1. Files:

README          this file
FORMLETTER      form letter to send to the author
FILES           file list
INSTALL         friendly installation script
CHANGES         description of changes since first distributed version
Makefile        compilation commands
authd.c         the authd program
authuser.h      the authuser include file
authuser.c      the authuser library
authd.8         documentation for authd
tcpuid.8        documentation for tcpuid
tcpuname.8      documentation for tcpuname
authuser.3      documentation for authuser
test.c          program to test authuser and authd
netstatuid      shell script to test tcpuname
rfc931          RFC 931, Authentication Server



2. Requirements

authd requires netstat, and it pokes around in several BSD-specific
kernel structures. It is not inherently portable code. Nevertheless, it
has been compiled under Ultrix, SunOS, and Convex UNIX, and it probably
doesn't take much work to get running under pretty much any BSD system.
authuser should compile and run without trouble on any BSD system.

You must be root to install authd. However, authd's sister utilities,
tcpuid and tcpuname, will probably work anyway if /dev/kmem is readable.
Any program can use the authuser library.

authd and authuser have been reported to work on the following systems.

  Sun 2/170, SunOS 4.0
  Sun 4/280, SunOS 4.0.3
  Sun 3/160, SunOS 4.1
  Sun 3/180, SunOS 4.1
  DECsystem-5820, Ultrix 4.0
  DECStation-5400, Ultrix 4.1
  VAX 8650, Ultrix 4.1
  VAX (?), BSD 4.3
  Convex C210, Convex UNIX 8.0
    no kmem group---authd/tcpuid/tcpuname only work as root

If your machine isn't in this list, and you get the programs working,
*please* send a note to me at brnstnd@nyu.edu on the Internet describing
what you had to do to make the programs compile. (Of course, please also
let me know if you have trouble, or if you have comments, questions, or
suggestions.) I'd rather be flooded with reports and be able to compile
a more comprehensive list than have no feedback because everyone assumes
someone else has talked to me first. Use FORMLETTER if you want. Thanks
for being a good sport.



3. How to configure authd

Either authd.c has the right magic to compile and run on your system, or
it doesn't. In the first case you don't have to configure anything, and
in the second case automatic configuration would be pretty much
hopeless. (If authd doesn't compile, you might try sending me the
compiler output to see if I can figure out how to make it work on your
machine.) The authuser library should compile without trouble in any
case.

You can change CC or CCOPTS in Makefile if you want. If you want authd
to record connections through syslog at LOG_DEBUG, define -DUSE_SYSLOG
in the Makefile.



4. How to compile authd

Just make. This will create authd, tcpuid, tcpuname, authuser.o, and
test.



5. How to install authd

If you don't have privileges, skip this part.

By default, authd, tcpuid, and tcpuname are installed in /etc,
authuser.o is installed as /usr/lib/libauthuser.a, authuser.h is
installed in /usr/include, authuser.3 is installed in /usr/man/man3,
and authd.8, tcpuid.8, and tcpuname.8 are installed in /usr/man/man8.
The binaries are installed setgid to group kmem. If you want to change
these defaults, edit INSTALL.

Then run INSTALL in a root shell; the script will check every action
with you before doing it.

To test tcpuname, make sure it is in your path, and run netstatuid. You
should get a report of all active network connections including
usernames.

To test authuser and authd, run ./test. You should get an ``everything
looks okay'' message.



6. TODO list

fast multiple-connection version of tcpuid/tcpuname, like netstatuid?
should write a few notes on the exact security provided by rfc 931
