readers.conf question

Sat Mar 3 01:03:23 UTC 2001

Russ Allbery <rra at stanford.edu> wrote:

>> One of my access realms had *no* "users" parameter, what is described as
>> "catches all and everything", even clients with an "empty" identity. But
>> that wasn't true in practice.
> 
> I could have sworn I wrote that section based directly on the code.  Huh.
> I admittedly didn't actually try it, though.

I think even the absence of an "users:" parameter doesn't catch
an "empty" identity. I don't have another explanation why my
setup failed, but I'm far from understanding everything regarding
readers.conf.

And BTW, this is the authentication example from the new man
page, Katsuhiro (?) just added a default identity:

           auth all {
               auth: "ckpasswd -d /usr/local/news/db/newsusers"
               auth: "ckpasswd -s"
               default: <NOPASSWD>
           }

           access fail {
               newsgroups: !*
           }

           access full {
               users: *
               newsgroups: *
           }

But with a default identity, the "full" access realm matches
hosts that don't authenticate or fail authentication (they
get / keep the default identity), and this realm is the last
matching realm ...

It must be (in my understanding):

           auth all {
               auth: "ckpasswd -d /usr/local/news/db/newsusers"
               auth: "ckpasswd -s"
	       default: <NOPASSWD>
	   }

	   access full {
	       users: *
	       newsgroups: *
	   }

           access fail {
	       users: <NOPASSWD>
               newsgroups: !*
           }

"users: <NOPASSWD>" is more specific and must be placed after
the "users: *" realm (last match rule).

And the explanations for the authentication example now is
completely wrong ...

Bye,
Bettina