readers.conf: problem with secure connection

Bill Tangren bjt at
Thu Mar 17 16:09:09 UTC 2005

Jeffrey M.Vinocur wrote:
> On Mar 16, 2005, at 12:27 PM, Bill Tangren wrote:
>>I want to be able to allow *only* those who have accounts on this 
>>to be able to access these newsgroups from outside the firewall. [...]
>>The server, before I started piddling with auth commands, allowed 
>>to make a secure connection. Now that I am trying to add 
>>all I get is a wait cursor when I use a newsgroup reader for access.
>>This is an example of what I've tried in my readers.conf:
>>auth "identified" {
>>     auth: "ckpasswd -f /etc/passwd"
>>     res: "ident"
>>     default: <FAIL>
> Do you use identd?  The delay that you're describing sounds like it 
> could be ident waiting for a timeout to occur.  If you want to use 
> ident but only inside the firewall, I'd recommend two auth blocks with 
> hosts: restrictions to keep you from trying to ident-query people's 
> home machines.
> Also, you shouldn't use -f with ckpasswd, really.  If you want to check 
> the system database and it doesn't use shadowed passwords, just use 
> "ckpasswd"; if it does, use "ckpasswd -s".
> I can provide examples once we flush this out a little better.

I've been playing around with identd, and I found an example on the web 
of using it:

service auth
         socket_type             = stream
         protocol                = tcp
         wait                    = yes
         user                    = nobody
         server                  = /usr/sbin/in.identd
         server_args             = in.identd -l -e
         disable                 = no

This works, at least somewhat, if I start a tcpdump:

tcpdump -l -i lo | grep auth

and then, from the local machine:

$ telnet localhost auth
Connected to localhost.localdomain (
Escape character is '^]'.
Connection closed by foreign host.

This fails quickly.

The tcpdump output is:

10:32:50.852063 IP > S 
126727716:126727716(0) win 32767 <mss 16396>

10:32:50.852356 IP > S 
142417215:142417215(0) ack 126727717 win 32767 <mss 16396>

10:32:50.852419 IP > . ack 1 
win 32767

10:32:50.925271 IP > R 
1:1(0) ack 1 win 32767

According to, this is 
not how identd should behave.

I know this is WAY off topic for this group, so I won't post any more on 
it. If anyone would like to help back channel, I would be most appreciative.

Bill Tangren

More information about the inn-workers mailing list