incoming.conf length limits
Todd Olson
tco2 at cornell.edu
Fri Jan 17 19:15:13 UTC 2003
Hi
At 09:46 -0800 2003/01/17, Russ Allbery wrote:
>Todd Olson <tco2 at cornell.edu> writes:
> > (some might ask, why not just upgrade to the latest INN
>> (... well, Cornell has local hacks to nnrpd to do kerberos proxying
>> ( and to permit people to *read* news anonymously
>> ( yet to require authentication for posting
>> (
>> (I've not yet figured out how to make nnrpd in 2.3 or 2.4
> > (implement our policy (and or how to apply our local hacks).
>
>Is this using Sidecar? So basically you want to trigger a Sidecar
>callback when the user tries to post, but not when they're just reading?
Okay ... I'll try to outline below, the hack we have
(goes way back to 1.7 before I started here at Cornell).
Perhaps this bad example might provoke good ideas in the minds of people
tweaking nnrpd.
>You can do that with the Python authentication hooks, which are called
>with every attempt to do something like post. The Perl hooks aren't, and
>would require attempting the authentication up-front.
very interesting ....
>Other than that, you could hack something like this into nnrpd without
>*too* much difficulty; basically, set up readers.conf so that no one can
>post, and then add some code to CMDpost that rather than just looking at
>PERMcanpost, instead does the Sidecar callback and uses that. You'd also
>need to hack the nnrpd banner to return 200 intsead of 201.
Thanks for the tip on the return code ...
The Cornell policy is this
a) If the reader IP is 'outside' Cornell, then you must authenticate
to read or post
b) If the reader IP is 'inside' Cornell, then
i) it can read with out authentication (ie can read anonymously)
ii) to post requires authentication
c) Anonymous postings are not permitted ...
All postings are marked (via the Sender: header) with the authentication
id (ie the netid, ie the kerberos id)
d) when authentication occurs the id is checked
and certain id's are given access to additional groups
that are not normally accessible (this feature is used
but not as widely as originally intended). This is done
by checking against the 'permit server' (CUSSP protocol).
e) Currently authentication can happen in one of two ways
i) via sidecar
ii) nntp auth / Kerberos proxy
(id/password sent from reader to server via nntp
(server validates id/password via kerberos
We are trying to move away from ii as clear text password
over a network are a bad idea
(note: I have not yet studied the new readers.conf
to see if this can be implemented in 2.{3,4}
with out hacking nnrpd
)
(note: being able to transmit Kerberos via nntp
would be neat, as it would eliminate the need for sidecar
and thus NATs would stop being a problem
)
The Cornell hack(s) is roughly this
We modified the following files in nnrpd
commands.c nnrpd.c nnrpd.h post.c
and files were added to support cussp and sidecar
We changed the code to do this ...
1) Check for sidecar on initial connection
if sidecar present, then success or failure of sidecar session
determines whether the connection proceeds
otherwise proceed at non hacked nnrpd would.
(problems are that if sidecar is not reachable
(there is a noticable delay at the start of the connection
(as the sidecar attempt times out (15sec)
(and
(sidecar does not work from behind NATs
(It would be nice to do Kerberos in the nntp connection
2) Changed the CMDtable[] array in nnrpd.c so only
'post' and 'ihave' require authentication ( set TRUE)
no other commands require authentication (set FALSE)
(the downside is that you can connect to our server
(from outside Cornell anonymously ... the connection
(is not rejected. However your group list is empty
(if you are unauthenticate and from outside Cornell
(so you can't do anything useful
(If you are inside Cornell your group list is
(the standard most groups ... this is how we
(permit anonymous reading ...
3) post.c is modified to set the Sender: to netid at cornell.invalid
This becomes the one thing the poster can not influence in
there posting, thus it is known who made the post
(Interestingly, the student assembly moved from email lists
(to news groups precisely because forging a news posting
(here at cornell is so hard (where as in email it is easy)
(and they were having problems with forged messages
(.... politics ....
4) commands.c is modified so that when an nntp auth command
is received
a) nnrpd first attempts to contact sidecar
if sidecar available succeed or fail based on it
b) if sidecar not available, then do nntp auth
and check against kerberos as a proxy
(temporary tickets are left lying in /tmp
(and have to be cleaned up with cron
(... shows just how poor the hack is
c) in all cases that authentication succeeds
use permit server (really should be come the ldap server)
to see if there are any groups to add for this netid
note there is great controversy on whether to let nntp auth
override sidecar, or the other way round, so at the moment
if this is more than one auth, the connection is closed
Thus if a reader in side Cornell connects with out authentication
and then wishes to post, when they try to post they will get a 480
auth required .. to which they reply by authenticating ...
Sadly there are many warts on this system. The most obvious wart is
that the only news reader we have at Cornell that successfully handles
the 480 is MT-NewsWatcher (and related). For the M$ windows crowd
they just get an error message (and it is really awkward to get the
details of the error message) and they have to figure out what to do.
Thus our support documentation instructs window's users to configure
there reader to authenticate on initial connection.
Also, since we added sidecar support, our user docs have become messier
because having sidecar and forcing auth on initial connection currently
caused the nnrpd to closed the connection (we decided no reauthentication
allowed). If we every get the okay to turn off the nntp auth this problem
will go away, but we will then be plagued by NATs. It is quite a mess.
Interestingly MT-NewsWatcher claims to have a plugging to do Kerberos
authentication, but I've not tested it because our server would not
know what to do ...
As wish, it sure would be nice to be able to implement the
'anonymous read, authenticated post' policy out of the box.
Perhaps it is possible with recent inn and I just have to
do a lot more studying ...
Regards,
Todd Olson
Cornell University.
More information about the inn-workers
mailing list