INN Authentication etc

[Jeffrey M. Vinocur]

On Fri, 23 Feb 2001, Phil Dowling wrote:

> However since INN has got rid of the nnrp.access file this seems to be
> an absolute nightmare for us.  We are now looking at having to use the
> readers.conf solutions.

You can obtain the old functionality (separate passwords) using
readers.conf -- is that what you'd prefer to do?


> I have read all the manuals and pretty much understand the concept.
> We want the auth program to read our shadow password DB and
> authenticate people in this manner.

Getting access to the passwords themselves depends a bit on your system
configuration (you presumably need to either run nnrpd as root or make
ckpasswd SUID root but only executable by the 'news' group).  If you have
that down, then you want something like this in readers.conf:

# You only should do this if you've read the manpage for ckpasswd and
# understand the security risks described under "-s".  It is less
# risky if you only allow connections from "trustworthy" hosts.
auth "insecure" {
    hosts: "*"
    auth: "ckpasswd -s"
    default: "<FAIL>"
}

access "ok" {
    users: "*"
    newsgroups: "*"
}

access "bad" {
    users: "<FAIL>"
    newsgroups: "!*"
}



> I am testing it using outlook express and Agent to see if the auth
> works.  Does this auth system work with those readers do you know ?

I believe so.


-- 
Jeffrey M. Vinocur
jeff at litech.org