unique readers

Jeffrey M. Vinocur jeff at litech.org
Thu Aug 1 05:59:43 UTC 2002 

On Tue, 11 Jun 2002, Russ Allbery wrote:

[ Back from vacation, resurrecting some old threads ]

> Todd Olson <tco2 at cornell.edu> writes:
> 
> > Cornell Univ. is about to deploy a cookie based Kerberos proxy system
> > for Cornell www sites that care about limiting access.
> 
> Is someone who knows how this is working coming to Cartel next week at
> Stanford?  We're currently working on our second-generation webauth
> system, which is very similar, and we should compare notes.

(Russ, are you still curious about this?  I think there are some slides on 
cuwebauth/cuweblogin up on the web which may be informative.)


> > If NNTP had cookie technology, then we could potentially tie it in to
> > this system.  As it stands now, while we have hacked sidecar support in
> > to an old nnrpd we have to tell people that it does not work from behind
> > a NAT.

Todd, FYI, I don't think you're locked into 2.2 because of the hacks; the
pluggable resolver scheme introduced with readers.conf should be able to
do the out-of-band querying you require.  (I looked at writing the
necessary resolver one afternoon, to present to you as fait accompli, but
couldn't find the necessary libraries.  I think it will be
straightforward; model off the ident resolver which comes with 2.3.)


> The problem, though, is that what you really want to do is share the
> cookies between your browser and NNTP, but getting things into and out of
> the browser cookie jar is a major pain.

And surely nonportable beyond belief.  (One can dream of solutions, 
though.)


> Currently, I have some hope for using username/password over SSL, but it
> would be nice to have a better solution.  

Indeed, as -- while that works -- it horribly violates the Kerberos 
security model.  It's way to easy to inadvertently train users to type 
their password into anything resembling a password box.


> We should get SASL at some point, 

I spent a remarkable portion of the summer out of the country; I hope to 
put some significant time into this in the immediate future.


> but that doesn't necessarily help as we already found with mail.

Hmm, any pointers to decent discussion of these issues?


-- 
Jeffrey M. Vinocur
jeff at litech.org

More information about the inn-workers mailing list