Authentication

[Russ Allbery]

Owen Jacobson <ojacobson.innd at mx-deus.net> writes:

> The change you suggested has simply made the 'private' groups
> publicly-visible.  readers.conf now looks like:

> auth "ue-staff" {
> hosts: *
> auth: "ckpasswd -s"
> default: "<ue-staff>"
> }

Oh, I didn't notice this before... this isn't doing what you expect.  The
default is what happens when the person *doesn't* authenticate.  So if the
user connects from any host and *doesn't* authenticate, they get assigned
the identity of <ue-staff>

> auth "world" {
> hosts: *
> default: "<world>"
> }

You don't actually want two auth groups.  What you want is this:

auth "all" {
    hosts: *
    auth: "ckpasswd -s"
    default: <world>
}

In other words, any connection gets assigned the default identity of
<world> and only gets an actual identity if they send AUTHINFO commands
and ckpasswd -s succeeds.

access "ue-groups" {
    users: *,!<world>
    newsgroups: ue.*
}

All users except <world> get access to all of ue.*.

access "pub" {
    users: <world>
    newsgroups: ue.pub.*
}

And the <world> user only gets access to ue.pub.*.

You can leave off the access lines, as they're the default.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.