the fast, reliable localhost tunneling solution


DNS-Based Authentication

By Tito Brasolin 2012-12-10, 09:01

PyPagekite allows front-ends to delegate authentication to a remote service according to a DNS-based authentication protocol. The command line option --authdomain is documented here.

If you are not familiar with DNS requests and responses, just play around with your Python console and socket.gethostbyname_ex(hostname)

import socket
socket.gethostbyname_ex('mail.google.com')

The answer should look like this:

('googlemail.l.google.com', ['mail.google.com'], ['173.194.35.21', '173.194.35.22'])

DNS Lookup

If the front-end is running with --authdomain=myauthdomain.com a lookup string may look like this:

(srand).(token).(sign).http.myname.example.com.myauthdomain.com

When a back-end is connecting, the front-end queries the DNS server and extracts authentication errors and extended quota info from CNAME replies.

(hn, al, ips) = socket.gethostbyname_ex(lookup)

The primary hostname is splitted into error, days and connections informations:

if al:
  error, hg, hd, hc, junk = hn.split('.', 4)
  q_days = int(hd, 16)
  q_conns = int(hc, 16)
else:
  error = q_days = q_conns = None

A few constants are defined in common.py

AUTH_ERRORS           = '255.255.255.'
AUTH_ERR_USER_UNKNOWN = '.0'
AUTH_ERR_INVALID      = '.1'

If ips[0] starts with '255.255.255.' then an authentication error just happened: the user may be unknown (ips[0] ends with '.0') or invalid (ips[0] ends with '.1').

Otherwise the user has been authenticated and the quota is encoded in the IP. Look at LookupDomainQuota to see how it works.

Comments

  1. Michiel de Jong said on 2016-06-01, 14:05
    The link to LookupDomainQuota should be https://github.com/pagekite/PyPagekit... (line numbers have shifted)
    Permalink

Leave a comment

( (Please leave these blank: )

We use Gravatar for commenter's photos. Get your own, it's free!

Wiki

Links