1. Forum
  2. Usenet
  3. NEWS.ADMIN.PEERING

  • Re: Requiring Authentication for INN2?

    From Grant Taylor@21:1/5 to G.K. on Fri Jul 22 14:29:18 2022
    XPost: news.software.nntp

    On 7/22/22 2:18 PM, G.K. wrote:
    Also do any sysops use stunnel to negotiate TLS for nnrpd? I'm
    considering that and trying to figure out how exactly and if it is
    better than configuring TLS paths directly in nnrpd.

    I've found that using direct support for something is almost always
    better than using indirect support for the same thing.

    I'm running nnrpd with TLS support directly on port 563.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From G.K.@21:1/5 to G.K. on Fri Jul 22 15:18:15 2022
    XPost: news.software.nntp

    On 7/22/22 09:00, G.K. wrote:
    I managed to get INN2 installed and working locally. The Debian/Ubuntu package is broken and would not install so I had to troubleshoot. No joy.

    How do I enable username/password authentication for all readers? What
    config option in inn.conf or readers.conf or whatever will make it so:

    Every reader, local or remote, must enter a username and password in
    their reader software to post anything to any group, ever.

    Are there already any scripted solutions for allowing people to sign up
    for credentials through a web or CLI interface?

    Is it possible to confine authentication data to INN without creating
    unix user accounts? If so lay that out.

    --

    G.K.

    I just realized that Eternal-September has a authenticated setup in
    which people sign up for credentials via email. I would like to set up
    my NNTP server similarly but without a public website, or at least
    restrict access to the website similarly to the NNTP server. Instead
    users would use a terminal and telnet or ssh to sign up, then the
    user/pass would be sent to their email.

    Also do any sysops use stunnel to negotiate TLS for nnrpd? I'm
    considering that and trying to figure out how exactly and if it is
    better than configuring TLS paths directly in nnrpd.

    If anyone from Eternal-September or elsewhere has any advice on how to
    proceed it would be appreciated. Please post links to any requisite
    docs, code repos, or libraries.

    --

    G.K.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to G.K. on Fri Jul 22 14:33:28 2022
    XPost: news.software.nntp

    On 7/22/22 2:18 PM, G.K. wrote:
    I just realized that Eternal-September has a authenticated setup in
    which people sign up for credentials via email.

    I would like to set up my NNTP server similarly but without a public
    website, or at least restrict access to the website similarly to the
    NNTP server.

    I think setting up the email portion would be trivial. People can email newsmaster@example.com with a request for an account. But the kicker is
    that they need to know to email newsmaster@example.com, knowledge that frequently comes from a web page, something that's hard to do without a
    web server.

    Admittedly, such sign up would be manual and require the newsmaster to
    take action. Though I suspect that's good from an anti-abuse perspective.

    Instead users would use a terminal and telnet or ssh to sign up,
    then the user/pass would be sent to their email.

    I think that enabling terminal access (even if it's not full shell
    access) is asking for miscreants to abuse ssh / telnet / et al.

    What's more, if you aren't going to also be providing terminal access
    for reading / posting, think I think you're opening up an attack surface
    just for sing up. Something that seems questionable in my opinion.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From G.K.@21:1/5 to Grant Taylor on Sat Jul 23 14:06:53 2022
    XPost: news.software.nntp

    On 7/22/22 15:33, Grant Taylor wrote:
    On 7/22/22 2:18 PM, G.K. wrote:
    I just realized that Eternal-September has a authenticated setup in
    which people sign up for credentials via email.

    I would like to set up my NNTP server similarly but without a public
    website, or at least restrict access to the website similarly to the
    NNTP server.

    I think setting up the email portion would be trivial.  People can email newsmaster@example.com with a request for an account.  But the kicker is that they need to know to email newsmaster@example.com, knowledge that frequently comes from a web page, something that's hard to do without a
    web server.

    Admittedly, such sign up would be manual and require the newsmaster to
    take action.  Though I suspect that's good from an anti-abuse perspective.

    Instead users would use a terminal and telnet or ssh to sign up, then
    the user/pass would be sent to their email.

    I think that enabling terminal access (even if it's not full shell
    access) is asking for miscreants to abuse ssh / telnet / et al.

    What's more, if you aren't going to also be providing terminal access
    for reading / posting, think I think you're opening up an attack surface
    just for sing up.  Something that seems questionable in my opinion.

    This may be true. But first things first, having a wide open server to
    which anyone can post without authenticating is also an attack surface.

    How do I configure INN2 to require authentication for all readers
    (including origin localhost)? I would like to get that taken care of
    first so I can open up a firewall port and test it out. Figuring out my
    front end for signups although important, can come later.

    --

    G.K.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)