readers.conf: problem with secure connection
Bill Tangren
bjt at aa.usno.navy.mil
Thu Mar 17 16:09:09 UTC 2005
Jeffrey M.Vinocur wrote:
> On Mar 16, 2005, at 12:27 PM, Bill Tangren wrote:
>
>
>>I want to be able to allow *only* those who have accounts on this
>>server
>>to be able to access these newsgroups from outside the firewall. [...]
>>
>>The server, before I started piddling with auth commands, allowed
>>anyone
>>to make a secure connection. Now that I am trying to add
>>authentication,
>>all I get is a wait cursor when I use a newsgroup reader for access.
>>
>>This is an example of what I've tried in my readers.conf:
>>
>>auth "identified" {
>> auth: "ckpasswd -f /etc/passwd"
>> res: "ident"
>> default: <FAIL>
>>}
>
>
> Do you use identd? The delay that you're describing sounds like it
> could be ident waiting for a timeout to occur. If you want to use
> ident but only inside the firewall, I'd recommend two auth blocks with
> hosts: restrictions to keep you from trying to ident-query people's
> home machines.
>
> Also, you shouldn't use -f with ckpasswd, really. If you want to check
> the system database and it doesn't use shadowed passwords, just use
> "ckpasswd"; if it does, use "ckpasswd -s".
>
> I can provide examples once we flush this out a little better.
>
>
I've been playing around with identd, and I found an example on the web
of using it:
service auth
{
socket_type = stream
protocol = tcp
wait = yes
user = nobody
server = /usr/sbin/in.identd
server_args = in.identd -l -e
disable = no
}
This works, at least somewhat, if I start a tcpdump:
tcpdump -l -i lo | grep auth
and then, from the local machine:
$ telnet localhost auth
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
Connection closed by foreign host.
$
This fails quickly.
The tcpdump output is:
10:32:50.852063 IP news.server.com.33283 > news.server.com.auth: S
126727716:126727716(0) win 32767 <mss 16396>
10:32:50.852356 IP news.server.com.auth > news.server.com.33283: S
142417215:142417215(0) ack 126727717 win 32767 <mss 16396>
10:32:50.852419 IP news.server.com.33283 > news.server.com.auth: . ack 1
win 32767
10:32:50.925271 IP news.server.com.auth > news.server.com.33283: R
1:1(0) ack 1 win 32767
According to http://www.mandrakehelp.com/identd-HOWTO-4.html, this is
not how identd should behave.
I know this is WAY off topic for this group, so I won't post any more on
it. If anyone would like to help back channel, I would be most appreciative.
Bill Tangren
More information about the inn-workers
mailing list