Jeffrey M. Vinocur jeff at
Fri Apr 20 16:30:59 UTC 2001

On Thu, 19 Apr 2001, James F. Hranicky wrote:

> Attached is a Q&D patch that requires users who wish to authenticate
> using AUTHINFO to use an SSLified connection to do so.
> A possible futher enhancement would be an option in inn.conf/readers.conf
> to turn it off by default, and options in readers.conf to turn it on/off
> on a per sitebasis.

I wrote a patch with functionality similar to that you describe which has
been in the CURRENT tree for a while now.  It allows blocks in
readers.conf to be tagged as ssl-only.  It effectively subsumes your patch
except with regard to error reporting -- since a ssl-requiring block does
not ``match'' a non-SSL connection, nnrpd can't distinguish e.g. a non-SSL
connection that ``is trying to'' match an SSL-only block from a bad-
incoming-IP connection that ``is trying to'' match some plaintext-ok

See <> for code (descriptions at the

Hmm.  Would people like having a feature added to nnrpd such that a
readers.conf access stanza could be tagged in such a way that any user
matching it would receive an arbitrary error message.  Like this
("ssl-required" is the patch I talk about above, "reject" is the new thing
I'm thinking of):

auth "foo-plain" {
  hosts: "10.*"
  ssl-required: no
  default: <NEEDSSL>

auth "foo-ssl" {
  hosts: "10.*"
  ssl-required: yes
  auth: "ckpasswd"

access "bar" {
  users: "*"
  newsgroups: "*"
access "deny" {
  users: <NEEDSSL>
  reject: "Sorry, to connect from your IP you need SSL."

that would give the functionality you want, I think.

Jeffrey M. Vinocur
jeff at

More information about the inn-workers mailing list