AUTHINFO SSL Patch
Jeffrey M. Vinocur
jeff at litech.org
Fri Apr 20 16:30:59 UTC 2001
On Thu, 19 Apr 2001, James F. Hranicky wrote:
> Attached is a Q&D patch that requires users who wish to authenticate
> using AUTHINFO to use an SSLified connection to do so.
>
> A possible futher enhancement would be an option in inn.conf/readers.conf
> to turn it off by default, and options in readers.conf to turn it on/off
> on a per sitebasis.
I wrote a patch with functionality similar to that you describe which has
been in the CURRENT tree for a while now. It allows blocks in
readers.conf to be tagged as ssl-only. It effectively subsumes your patch
except with regard to error reporting -- since a ssl-requiring block does
not ``match'' a non-SSL connection, nnrpd can't distinguish e.g. a non-SSL
connection that ``is trying to'' match an SSL-only block from a bad-
incoming-IP connection that ``is trying to'' match some plaintext-ok
block.
See <http://www.litech.org/~jeff/inn-diffs/> for code (descriptions at the
bottom).
Hmm. Would people like having a feature added to nnrpd such that a
readers.conf access stanza could be tagged in such a way that any user
matching it would receive an arbitrary error message. Like this
("ssl-required" is the patch I talk about above, "reject" is the new thing
I'm thinking of):
auth "foo-plain" {
hosts: "10.*"
ssl-required: no
default: <NEEDSSL>
}
auth "foo-ssl" {
hosts: "10.*"
ssl-required: yes
auth: "ckpasswd"
}
access "bar" {
users: "*"
newsgroups: "*"
}
access "deny" {
users: <NEEDSSL>
reject: "Sorry, to connect from your IP you need SSL."
}
that would give the functionality you want, I think.
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the inn-workers
mailing list