readers.conf: problem with secure connection

Bill Tangren bjt at aa.usno.navy.mil
Thu Mar 17 15:19:40 UTC 2005


Jeffrey M.Vinocur wrote:
> On Mar 16, 2005, at 12:27 PM, Bill Tangren wrote:
> 
> 
>>I want to be able to allow *only* those who have accounts on this 
>>server
>>to be able to access these newsgroups from outside the firewall. [...]
>>
>>The server, before I started piddling with auth commands, allowed 
>>anyone
>>to make a secure connection. Now that I am trying to add 
>>authentication,
>>all I get is a wait cursor when I use a newsgroup reader for access.
>>
>>This is an example of what I've tried in my readers.conf:
>>
>>auth "identified" {
>>     auth: "ckpasswd -f /etc/passwd"
>>     res: "ident"
>>     default: <FAIL>
>>}
> 
> 
> Do you use identd?  The delay that you're describing sounds like it 
> could be ident waiting for a timeout to occur.  If you want to use 
> ident but only inside the firewall, I'd recommend two auth blocks with 
> hosts: restrictions to keep you from trying to ident-query people's 
> home machines.
> 
> Also, you shouldn't use -f with ckpasswd, really.  If you want to check 
> the system database and it doesn't use shadowed passwords, just use 
> "ckpasswd"; if it does, use "ckpasswd -s".
> 
> I can provide examples once we flush this out a little better.
> 
> 

It sounds like the identd is the problem, because I commented out the 
ckpasswd line, and it still timed out. identd is not running, so I 
downloaded it and installed it. Still no joy, though that may be because 
I didn't set up identd properly. The README file for it stipulates that 
it can run from inetd, so I looked at /etc/services, and saw these two 
lines:

auth            113/tcp         authentication tap ident
auth            113/udp         authentication tap ident


so I set up a service called auth in /etc/xinetd.d:

service auth
{
         socket_type             = stream
         wait                    = no
         user                    = nobody
         server                  = /usr/sbin/in.identd
         server_args		= -l
         disable                 = no
}

I think this is how the README said to do it. Of course, I restarted 
xinetd after adding it. in.identd is a soft link to identd.

Even with this for the auth block in readers.conf:

auth "identified" {
#       key: through_the_firewall
         require_ssl: true
#       auth: "ckpasswd -s"
#       res: ident
#       default: <SPECIAL>
}

it still times out. With both, or either of the auth and res lines 
uncommented, it still times out.

Sigh.

Bill


More information about the inn-workers mailing list