private newsgroups & collabra server?
Thomas Hochstein
inn-workers at ml.th-h.de
Sat Apr 9 11:50:06 UTC 2016
Miles Fidelman schrieb:
> A follow-up question though - I know that INN (and NNTP) have some
> authentication capabilities - but what I'm still trying to figure out is
> whether these are local only, or whether there are any global
> authentication capabilities for newsgroup access (e.g., encryption
> of messages under a shared key, or distributed access control using
> Kerberos).
INN supports external programs for authentification, see
<https://www.eyrie.org/~eagle/software/inn/docs-2.6/external-auth.html>.
Examples shipped with INN include:
- ckpasswd:
| ckpasswd accepts a username and password from nnrpd and tells nnrpd(8)
| whether that's the correct password for that username. By default,
| when given no arguments, it tries to check the password using PAM if
| support for PAM was found when INN was built. Failing that, it tries
| to check the password against the password field returned by
| getpwnam(3).
- auth_krb5:
| This program does authentication for nnrpd against a Kerberos v5 KDC.
| This is NOT real Kerberos authentication using service tickets;
| instead, a username and password is used to attempt to obtain a
| Kerberos v5 TGT to confirm that they are valid. As such, this
| authenticator assumes that nnrpd has been given the user's username
| and password, and therefore is not as secure as real Kerberos
| authentication. It generally should only be used with NNTP over TLS
| to protect the password from sniffing.
|
| Normally, you do not want to use this authenticator. Instead, use
| ckpasswd with PAM support and configure the nnrpd PAM stack to use a
| Kerberos PAM module. A full Kerberos PAM module is more sophisticated
| about how it validates passwords and has a much broader array of
| options than this authenticator.
- radius:
| radius is an nnrpd authenticator, accepting a username and password
| from nnrpd (given to nnrpd by a reader connection) and attempting to
| authenticate that username and password against a RADIUS server.
You can modify one of them to suit your needs or roll your own.
It is quite possible to set INN up, using Kerberos or a SQL database
for authentification, with user accounts managed using a GUI or a web
app (you'd most probably had to create yourself); and you could manage
creation, modification or deletion of local newsgroups by a GUI tool
or a web app, too. It shouldn't be too hard to whip something up in
that way.
Regards,
-thh
More information about the inn-workers
mailing list