UNIX Authentication

Edit online

A process calling a remote procedure might need to identify itself as it is identified on the UNIX system. The value of the credential's discriminant of an RPC call message is AUTH_UNIX.

The bytes of the credential's opaque body encode the following structure:


struct auth_unix {
     unsigned     stamp;
     string       machinename;
     unsigned     uid;
     unsigned     gid;
     unsigned     gids;
};

The parameters in the structure are defined as follows:

Item	Description
`stamp`	Specifies the arbitrary ID generated by the caller's workstation.
`machinename`	Specifies the name of the caller's workstation. The name must not exceed 255 bytes in length.
`uid`	Specifies the caller's effective user ID.
`gid`	Specifies the caller's effective group ID.
`gids`	Specifies the counted array of group IDs that contain the caller as a member. A maximum of 10 groups is allowed.

The verifier accompanying the credentials should be AUTH_NULL.

The value of the discriminant in the response verifier of the reply message from the server is either AUTH_NULL or AUTH_SHORT. If the value is AUTH_SHORT, the bytes of the response verifier's string encode an opaque structure. The new opaque structure can then be passed to the server in place of the original AUTH_UNIX credentials. The server maintains a cache that maps shorthand opaque structures (passed back by way of an AUTH_SHORT-style response verifier) to the original credentials of the caller. The caller saves network bandwidth and server CPU time when the shorthand credentials are used.

Note: The server can eliminate, or flush, the shorthand opaque structures at any time. If this happens, the RPC message will be rejected due to an AUTH_REJECTEDCRED authentication error. The original AUTH_UNIX credentials can be used when this happens.