Some questions from a new user
Scott Ream
inn at 9370.org
Sat Jun 29 00:00:42 UTC 2002
> -----Original Message-----
> From: inn-workers-bounce at isc.org [mailto:inn-workers-bounce at isc.org]On
> Behalf Of Jeffrey M. Vinocur
> Sent: Friday, June 28, 2002 1:05 AM
> To: Scott Ream
> Cc: Inn-Workers at Isc. Org
> Subject: Re: Some questions from a new user
>
>
>
> On Thu, 27 Jun 2002, Scott Ream wrote:
>
> > I've been monitoring this list for a bit and feel comfortable
> asking some
> > beginner level questions. I have read a lot of the documentation
>
> I think you're not entirely comfortable with how the news peering
> infrastructure works, but that will come with time.
>
True
>
> > 1) Are there any issues with INN on OpenBSD? I didn't find
> any on google
> > but I thought it was a good idea to ask.
>
> I can't speak to this ... should be fine, though.
>
>
> > 2) Is my proposed hardware setup sufficient?
>
> *laugh* You didn't tell us the number of articles per day, but I
> expect it's similarly small. You would have to try pretty hard to
> find hardware that couldn't handle that.
>
>
Very low traffic. Probably less than 100 posts a day.
> > 2) Getnews for securecomp groups from securecomp server and
> local groups
> > from my local dnews server
>
> I don't understand "getnews" -- oh, for INN people usually use 'suck' or
> 'newsx'.
>
>
Yes, I meant sucknews.
> > 4) Change the rdr in my nat router from the dnews box to the inn box
> >
> > Will the above work? Will it be transparent to a users
> newsreader or will
> > they have delete and then add the server in their reader?
>
> The articles numbers will be different, so all of their clients will be
> confused (and they will lose all of the read/unread article markings they
> have made). You can get around with some effort by:
>
> - set everything up, make sure it works
> - wipe out the history and overview for INN and regenerate like new
> - turn on xrefslave in inn.conf
> - disable incoming articles and posting on the diablo machine briefly
> - do something like #3.9 of http://www.eyrie.org/~eagle/faqs/inn.html
> - switch the redirect
>
> Then the clients will not notice a change. The directions in the FAQ I
> mention above won't work as you're not running INN on the source machine;
> you'd need to find an equivalent for Diablo or else use something like
> "suck" or "newsx" for this.
>
>
Ok, the people using the test server know that it is an experiment so I'll
just have them re-add the group after it is switched over.
> > After I get this setup I would like to 'peer' with the
> securecomp server for
> > the two groups I will be mirroring. What I mean by this is that
> I will make
> > the securecomp groups postable and then my news server will
> feed to their
> > news server. Are there any issues with this?
>
> Will they go along with this? If not, it's not a real feed. (You can do
> a suck feed, although it's not as nice -- and may even violate terms of
> service in some cases.)
>
>
Yes they will go along with it.
> > As I said above, I am very interested in the authorization
> mechanisms used
> > by INN.
>
> Whoa, confusion alert. When we talk about authentication here, we
> generally mean of newsreader clients to the server. The mechanisms you
> describe generally have to do with signing of *articles* (and that is
> almost never relevant to INN; an article is just a blob from its point of
> view).
>
>
> > I have read about using PGP signatures to post to a control group
>
> This is the exception to the "almost" above.
>
>
> > and I assume that you can set up PGP sig verification to post
> to any group.
>
> The user can of course sign any article he likes. You'd have to do some
> work to restrict posting based on that, though.
>
>
Ok
> > I am curious about x509 signatures as well. I seem to remember that
> > Collabra could do this. Are there any implementations using
> x509 certs and
> > INN? I would be primarily interested in testing these against
> a private CA
> > we are setting up.
>
> I don't know of any certificates used for user authentication, really.
> There's SSL support in INN, although not for examining the client
> cert and
> doing authorization based on it. The only other certificate-like thing I
> know of in actual use is Kerberos. (I may be unaware of something,
> though.)
>
Actually what I meant was that it checks the x509 signature of a post and if
it is valid (ie signed by the root ca) it is posted.
Sorry for the confusion. Thanks.
Scott C Ream
sream at 9370.org
PGP Key ID 0xA76DAA1B68DEEAF6
X509 Key ID 0x9B03A7E0294E6171
More information about the inn-workers
mailing list