unique readers
Jeffrey M. Vinocur
jeff at litech.org
Thu Aug 1 05:59:43 UTC 2002
On Tue, 11 Jun 2002, Russ Allbery wrote:
[ Back from vacation, resurrecting some old threads ]
> Todd Olson <tco2 at cornell.edu> writes:
>
> > Cornell Univ. is about to deploy a cookie based Kerberos proxy system
> > for Cornell www sites that care about limiting access.
>
> Is someone who knows how this is working coming to Cartel next week at
> Stanford? We're currently working on our second-generation webauth
> system, which is very similar, and we should compare notes.
(Russ, are you still curious about this? I think there are some slides on
cuwebauth/cuweblogin up on the web which may be informative.)
> > If NNTP had cookie technology, then we could potentially tie it in to
> > this system. As it stands now, while we have hacked sidecar support in
> > to an old nnrpd we have to tell people that it does not work from behind
> > a NAT.
Todd, FYI, I don't think you're locked into 2.2 because of the hacks; the
pluggable resolver scheme introduced with readers.conf should be able to
do the out-of-band querying you require. (I looked at writing the
necessary resolver one afternoon, to present to you as fait accompli, but
couldn't find the necessary libraries. I think it will be
straightforward; model off the ident resolver which comes with 2.3.)
> The problem, though, is that what you really want to do is share the
> cookies between your browser and NNTP, but getting things into and out of
> the browser cookie jar is a major pain.
And surely nonportable beyond belief. (One can dream of solutions,
though.)
> Currently, I have some hope for using username/password over SSL, but it
> would be nice to have a better solution.
Indeed, as -- while that works -- it horribly violates the Kerberos
security model. It's way to easy to inadvertently train users to type
their password into anything resembling a password box.
> We should get SASL at some point,
I spent a remarkable portion of the summer out of the country; I hope to
put some significant time into this in the immediate future.
> but that doesn't necessarily help as we already found with mail.
Hmm, any pointers to decent discussion of these issues?
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the inn-workers
mailing list