RPC and Unix Authentication

Mike Cook and Mich Cook





Introduction:

Our goal was to learn about TCP and RPC to be able to modify the client/server applications written by Jesse Stebbins and Beth Burkhardt in their 1997 REU project. We then implemented Unix authentication in the programs to control the access to the server program.

A Description of Last Year's Application:

The original server application was a server program running on an HP K Class 9000. The server program begins by executing two functions that prepare the server for a connection from a client. The first function maps the cryosection images of the digital cadaver data set into virtual memory, while the second function prepares an array containing the possible red, green, and blue values for the 256 different possible colors for each of the images. Next, the server program sets up a socket to be used for its side of the communication. Finally, with its side of the communication via TCP set up, it waits for a connection, forking when a connection is made.

The client must be run on a Silicon Graphics workstation because the graphics use the OpenGL graphics library, supported by SGI's. The client creates a cube on the screen representing the section of the cadaver that is hard coded into a configuration file. The configuration file also determines which of the four options for drawing a slice will be used. These options are: one slice, multiple slices, a planar slice, or a volume. The user uses the mouse to choose where the slice comes from. The client creates a socket and makes a request to the server for the colors on the slice whose coordinates it is sending.

The coordinates of the slice are sent to the server are converted to the actual coordinates within the cadaver. The server accesses the appropriate cryosection image files in virtual memory, gets the data for each pixel of the image, and uses this information to find the appropriate color for each pixel. For each line, a set of coordinates, the client sends over to the server, the server sends back a set of colors corresponding to the color for each coordinate on that line. The client then displays all the lines in the cube as a manipulative object.

Implementing RPC in the Application:

To implement RPC in the existing client/server application, we first had to isolate those sections of the client and server programs that used network communication (i.e. socket initialization, sending and receiving data, etc). We began to consider how to replace the existing code for communication, which used a TCP format. We would still be communicating using TCP, but using RPC calls on top of the TCP protocol for radical changes in code.

The client sends two data sets to the server: the boundaries of the portion of the cadaver to consider and an array of coordinates (a line) to the server. The server sends back an array of colors corresponding to the coordinates sent. Carefully constructed XDR structures assured both sides were receiving reliable RPC data unmodified by network travel. When the structures were coded, the programs were modified to incorporate the XDR structures and implement the RPC protocol.

Implementing UNIX Authentication in the Application:

After we modified the client/server application to use RPC, we moved on to the issue of adding authentication to the application. We implemented Unix authentication inm the application and, using a conditional statement in the code, could deny users with certain ID's from accessing the process.

We decided to expand our Unix authentication to be more secure. We created a configuration file which hard-coded the names of the machines that would have access to the services provided by the server program. For each of these machines, we then specified the number of valid user IDs for that machine, with a -1 meaning that all user IDs were valid. After specifying the number of valid user IDs for each machine, we then listed the actual user IDs that were valid. The configuration file provides a clean and readable format to visualize the data essential to providing secure Unix authentication. The file is easily modifiable by authorized users, so adding or removing valid machines and user IDs is easy. Testing the new application found it to be very secure for the purposes of the client/server application.


To send us questions, comments, or rude .wav files, email either of us:

M ich: cookm@augsburg.edu

M ike: mpcook@csbsju.edu


For possible updates, info on us, or a fun time, visit our web sites:

M ike's Page

M ich's Page