Some questions from a new user

Scott Ream inn at
Sat Jun 29 00:00:42 UTC 2002

> -----Original Message-----
> From: inn-workers-bounce at [mailto:inn-workers-bounce at]On
> Behalf Of Jeffrey M. Vinocur
> Sent: Friday, June 28, 2002 1:05 AM
> To: Scott Ream
> Cc: Inn-Workers at Isc. Org
> Subject: Re: Some questions from a new user
> On Thu, 27 Jun 2002, Scott Ream wrote:
> > I've been monitoring this list for a bit and feel comfortable
> asking some
> > beginner level questions.  I have read a lot of the documentation
> I think you're not entirely comfortable with how the news peering
> infrastructure works, but that will come with time.


> > 1)  Are there any issues with INN on OpenBSD?  I didn't find
> any on google
> > but I thought it was a good idea to ask.
> I can't speak to this ... should be fine, though.
> > 2)  Is my proposed hardware setup sufficient?
> *laugh*  You didn't tell us the number of articles per day, but I
> expect it's similarly small.  You would have to try pretty hard to
> find hardware that couldn't handle that.

Very low traffic.  Probably less than 100 posts a day.

> > 2)  Getnews for securecomp groups from securecomp server and
> local groups
> > from my local dnews server
> I don't understand "getnews" -- oh, for INN people usually use 'suck' or
> 'newsx'.

Yes, I meant sucknews.

> > 4)  Change the rdr in my nat router from the dnews box to the inn box
> >
> > Will the above work?  Will it be transparent to a users
> newsreader or will
> > they have delete and then add the server in their reader?
> The articles numbers will be different, so all of their clients will be
> confused (and they will lose all of the read/unread article markings they
> have made).  You can get around with some effort by:
> - set everything up, make sure it works
> - wipe out the history and overview for INN and regenerate like new
> - turn on xrefslave in inn.conf
> - disable incoming articles and posting on the diablo machine briefly
> - do something like #3.9 of
> - switch the redirect
> Then the clients will not notice a change.  The directions in the FAQ I
> mention above won't work as you're not running INN on the source machine;
> you'd need to find an equivalent for Diablo or else use something like
> "suck" or "newsx" for this.

Ok, the people using the test server know that it is an experiment so I'll
just have them re-add the group after it is switched over.

> > After I get this setup I would like to 'peer' with the
> securecomp server for
> > the two groups I will be mirroring. What I mean by this is that
> I will make
> > the securecomp groups postable and then my news server will
> feed to their
> > news server.  Are there any issues with this?
> Will they go along with this?  If not, it's not a real feed.  (You can do
> a suck feed, although it's not as nice -- and may even violate terms of
> service in some cases.)

Yes they will go along with it.

> > As I said above, I am very interested in the authorization
> mechanisms used
> > by INN.
> Whoa, confusion alert.  When we talk about authentication here, we
> generally mean of newsreader clients to the server.  The mechanisms you
> describe generally have to do with signing of *articles* (and that is
> almost never relevant to INN; an article is just a blob from its point of
> view).
> > I have read about using PGP signatures to post to a control group
> This is the exception to the "almost" above.
> > and I assume that you can set up PGP sig verification to post
> to any group.
> The user can of course sign any article he likes.  You'd have to do some
> work to restrict posting based on that, though.


> > I am curious about x509 signatures as well.  I seem to remember that
> > Collabra could do this.  Are there any implementations using
> x509 certs and
> > INN?  I would be primarily interested in testing these against
> a private CA
> > we are setting up.
> I don't know of any certificates used for user authentication, really.
> There's SSL support in INN, although not for examining the client
> cert and
> doing authorization based on it.  The only other certificate-like thing I
> know of in actual use is Kerberos.  (I may be unaware of something,
> though.)

Actually what I meant was that it checks the x509 signature of a post and if
it is valid (ie signed by the root ca) it is posted.

Sorry for the confusion. Thanks.

Scott C Ream
sream at
X509 Key ID 0x9B03A7E0294E6171

More information about the inn-workers mailing list