Authentication blues

Russ Allbery rra at stanford.edu
Mon Feb 26 06:03:39 UTC 2001


Zenon Panoussis <oracle at xs4all.nl> writes:

> Suddenly it works, and I can't figure what was wrong. I eliminated
> possible confusion by removing all auth/access groups except the
> password-protected one and ended up with

> auth "cleared" {
>      hosts:    "*"
>      auth:     "ckpasswd -f /usr/local/news/etc/passwords"
> }

> access "cleared" {
>      users:      "*"
>      read:       "*,!control*,!junk"
> }

> The default: "<fail>" part doesn't seem to be needed, except perhaps in
> case the authentication system would fail and let is somebody with a
> non-matching pair of username/password.

Right, you don't need default: <fail> with that configuration and in fact
you don't want it, since otherwise you'd let everyone in.

The key point to realize is that if the username and password don't match,
the user gets a special failing string that doesn't match *any* users key,
even "*".  So if authentication fails, there's no matching access group.

You can even keep adding other auth groups with other methods of
establishing the user, such as a default: entry for anyone connecting from
local systems, and as long as they assign a user string and failed
authentication doesn't (which means making sure they don't have default:
parameters), it will continue working the way you want.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the inn-workers mailing list