AUTHINFO SSL Patch

Jeffrey M. Vinocur jeff at litech.org
Fri Apr 20 16:30:59 UTC 2001


On Thu, 19 Apr 2001, James F. Hranicky wrote:

> Attached is a Q&D patch that requires users who wish to authenticate
> using AUTHINFO to use an SSLified connection to do so.
>
> A possible futher enhancement would be an option in inn.conf/readers.conf
> to turn it off by default, and options in readers.conf to turn it on/off
> on a per sitebasis.

I wrote a patch with functionality similar to that you describe which has
been in the CURRENT tree for a while now.  It allows blocks in
readers.conf to be tagged as ssl-only.  It effectively subsumes your patch
except with regard to error reporting -- since a ssl-requiring block does
not ``match'' a non-SSL connection, nnrpd can't distinguish e.g. a non-SSL
connection that ``is trying to'' match an SSL-only block from a bad-
incoming-IP connection that ``is trying to'' match some plaintext-ok
block.

See <http://www.litech.org/~jeff/inn-diffs/> for code (descriptions at the
bottom).


Hmm.  Would people like having a feature added to nnrpd such that a
readers.conf access stanza could be tagged in such a way that any user
matching it would receive an arbitrary error message.  Like this
("ssl-required" is the patch I talk about above, "reject" is the new thing
I'm thinking of):

auth "foo-plain" {
  hosts: "10.*"
  ssl-required: no
  default: <NEEDSSL>
}

auth "foo-ssl" {
  hosts: "10.*"
  ssl-required: yes
  auth: "ckpasswd"
}

access "bar" {
  users: "*"
  newsgroups: "*"
}
access "deny" {
  users: <NEEDSSL>
  reject: "Sorry, to connect from your IP you need SSL."
}

that would give the functionality you want, I think.


-- 
Jeffrey M. Vinocur
jeff at litech.org



More information about the inn-workers mailing list