unique readers

Jeffrey M. Vinocur jeff at litech.org
Thu Aug 1 05:59:43 UTC 2002

On Tue, 11 Jun 2002, Russ Allbery wrote:

[ Back from vacation, resurrecting some old threads ]

> Todd Olson <tco2 at cornell.edu> writes:
> > Cornell Univ. is about to deploy a cookie based Kerberos proxy system
> > for Cornell www sites that care about limiting access.
> Is someone who knows how this is working coming to Cartel next week at
> Stanford?  We're currently working on our second-generation webauth
> system, which is very similar, and we should compare notes.

(Russ, are you still curious about this?  I think there are some slides on 
cuwebauth/cuweblogin up on the web which may be informative.)

> > If NNTP had cookie technology, then we could potentially tie it in to
> > this system.  As it stands now, while we have hacked sidecar support in
> > to an old nnrpd we have to tell people that it does not work from behind
> > a NAT.

Todd, FYI, I don't think you're locked into 2.2 because of the hacks; the
pluggable resolver scheme introduced with readers.conf should be able to
do the out-of-band querying you require.  (I looked at writing the
necessary resolver one afternoon, to present to you as fait accompli, but
couldn't find the necessary libraries.  I think it will be
straightforward; model off the ident resolver which comes with 2.3.)

> The problem, though, is that what you really want to do is share the
> cookies between your browser and NNTP, but getting things into and out of
> the browser cookie jar is a major pain.

And surely nonportable beyond belief.  (One can dream of solutions, 

> Currently, I have some hope for using username/password over SSL, but it
> would be nice to have a better solution.  

Indeed, as -- while that works -- it horribly violates the Kerberos 
security model.  It's way to easy to inadvertently train users to type 
their password into anything resembling a password box.

> We should get SASL at some point, 

I spent a remarkable portion of the summer out of the country; I hope to 
put some significant time into this in the immediate future.

> but that doesn't necessarily help as we already found with mail.

Hmm, any pointers to decent discussion of these issues?

Jeffrey M. Vinocur
jeff at litech.org

More information about the inn-workers mailing list