newbie question: state of the art/practice for private newsgroups?

Todd Olson tco2 at cornell.edu
Mon Feb 7 20:23:42 UTC 2011 

Hi Miles

... well, not really state of the art,
yet here at Cornell University we use SSL to pass kerberos credentials
to our news server, which then acts as a kerberos proxy.  Our nnrpd
calls scripts I wrote that uses INN's auth_krb5 to verify the credentials
and then makes calls to our 'permit' server to handle user permissions to groups.
Once our permit server moves to LDAP I expect just changing the scripts
will be sufficient.  What I have done might not scale to 15-20 groups
because I'm using readers.conf in a simple minded way.  If I were to go
from the 5 groupings I control to 15-20, I'd re-implement with one of the
*_auth hooks, such as perl_auth or python_auth. 

As a speculation, with only 5000 users and 20 groups
it might even be possible to autogenerate a readers.conf file that has
one stanza per user, listing the groups they can access.  
I don't know what affect this would have on nnrpd startup time.
The *_auth hooks would likely work better.

readers.conf(5) describes the very large number of features available
in INN/nnrpd for access control.  

As for 3-5 replicated servers and peer-to-peer authentication,
what about just using the firewalls on the servers to limit server 
connections by IP address ... what extra benefit do you get with peer-to-peer auth?
Would just wrapping server connections in SSL or SSH tunnels be sufficient?

As for encryption and signing of messages ... that would be an entirely client side issue, right?
I'd be interesting in hearing what you learn about that.

As for encryption over the wire between the client and the server, SSL tunnels are useful.
Right now I am using old style stunnel external to nnrpd to talk to 
SSL capable clients such as Thunderbird and NewsWatcher.
Someday I'll switch to the SSL support build into INN/nnrpd.

Regards,
Todd Olson
Cornell University

On 2011-Feb-07, at 11:35, Miles Fidelman wrote:

> What I'm wondering is the current state of the art/practice.  What
> would be a good starting point for building something along the lines
> of:
> - 3-5 replicated servers
> - 15-20 groups
> - 3-5000 users
> - peer-to-peer authentication among servers
> - crypto-based authentication of users, with access control on a user-
> newsgroup level (ideally using kerberos or LDAP for central user
> administration)
> - encryption and signing of messages
> 
> Any thoughts, pointers to reference materials, etc.?
>

More information about the inn-workers mailing list