[IPython-dev] pyzmq authentication
Fernando Perez
fperez.net at gmail.com
Wed Jun 1 14:20:30 EDT 2011
On Wed, Jun 1, 2011 at 9:41 AM, MinRK <benjaminrk at gmail.com> wrote:
> What we have currently is extremely primitive, and only meant to
> protect against accidental execution rather than
> malicious intrusion. The key is sent and checked with every message.
If I understand correctly the link Jason sent, and from a quick
reading of the multiprocessing code, we should be able to use the same
machinery to avoid sending/receving the keys. The main functions that
do the work in MP are in the 'connection' submodule, and they are
really two standalone functions:
def deliver_challenge(connection, authkey):
import hmac
assert isinstance(authkey, bytes)
message = os.urandom(MESSAGE_LENGTH)
connection.send_bytes(CHALLENGE + message)
digest = hmac.new(authkey, message).digest()
response = connection.recv_bytes(256) # reject large message
if response == digest:
connection.send_bytes(WELCOME)
else:
connection.send_bytes(FAILURE)
raise AuthenticationError('digest received was wrong')
def answer_challenge(connection, authkey):
import hmac
assert isinstance(authkey, bytes)
message = connection.recv_bytes(256) # reject large message
assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message
message = message[len(CHALLENGE):]
digest = hmac.new(authkey, message).digest()
connection.send_bytes(digest)
response = connection.recv_bytes(256) # reject large message
if response != WELCOME:
raise AuthenticationError('digest sent was rejected')
They work with objects that have a basic socket interface, but
adapting this to zmq sockets should be possible. Am I missing
something?
Cheers,
f
More information about the IPython-dev
mailing list