On 7/22/22 09:00, G.K. wrote:
> I managed to get INN2 installed and working locally. The Debian/Ubuntu
> package is broken and would not install so I had to troubleshoot. No joy.
>
> How do I enable username/password authentication for all readers? What
> config option in inn.conf or readers.conf or whatever will make it so:
>
> Every reader, local or remote, must enter a username and password in
> their reader software to post anything to any group, ever.
>
> Are there already any scripted solutions for allowing people to sign up
> for credentials through a web or CLI interface?
>
> Is it possible to confine authentication data to INN without creating
> unix user accounts? If so lay that out.
>
> --
>
> G.K.

I just realized that Eternal-September has a authenticated setup in
which people sign up for credentials via email. I would like to set up
my NNTP server similarly but without a public website, or at least
restrict access to the website similarly to the NNTP server. Instead
users would use a terminal and telnet or ssh to sign up, then the
user/pass would be sent to their email.

Also do any sysops use stunnel to negotiate TLS for nnrpd? I'm
considering that and trying to figure out how exactly and if it is
better than configuring TLS paths directly in nnrpd.

If anyone from Eternal-September or elsewhere has any advice on how to
proceed it would be appreciated. Please post links to any requisite
docs, code repos, or libraries.

--

G.K.

On 7/22/22 2:18 PM, G.K. wrote:
> Also do any sysops use stunnel to negotiate TLS for nnrpd? I'm
> considering that and trying to figure out how exactly and if it is
> better than configuring TLS paths directly in nnrpd.

I've found that using direct support for something is almost always
better than using indirect support for the same thing.

I'm running nnrpd with TLS support directly on port 563.

--
Grant. . . .
unix || die

On 7/22/22 2:18 PM, G.K. wrote:
> I just realized that Eternal-September has a authenticated setup in
> which people sign up for credentials via email.

> I would like to set up my NNTP server similarly but without a public
> website, or at least restrict access to the website similarly to the
> NNTP server.

I think setting up the email portion would be trivial. People can email
newsmaster@example.com with a request for an account. But the kicker is
that they need to know to email newsmaster@example.com, knowledge that
frequently comes from a web page, something that's hard to do without a
web server.

Admittedly, such sign up would be manual and require the newsmaster to
take action. Though I suspect that's good from an anti-abuse perspective.

> Instead users would use a terminal and telnet or ssh to sign up,
> then the user/pass would be sent to their email.

I think that enabling terminal access (even if it's not full shell
access) is asking for miscreants to abuse ssh / telnet / et al.

What's more, if you aren't going to also be providing terminal access
for reading / posting, think I think you're opening up an attack surface
just for sing up. Something that seems questionable in my opinion.

--
Grant. . . .
unix || die

On 7/22/22 15:33, Grant Taylor wrote:
> On 7/22/22 2:18 PM, G.K. wrote:
>> I just realized that Eternal-September has a authenticated setup in
>> which people sign up for credentials via email.
>
>> I would like to set up my NNTP server similarly but without a public
>> website, or at least restrict access to the website similarly to the
>> NNTP server.
>
> I think setting up the email portion would be trivial.  People can email
> newsmaster@example.com with a request for an account.  But the kicker is
> that they need to know to email newsmaster@example.com, knowledge that
> frequently comes from a web page, something that's hard to do without a
> web server.
>
> Admittedly, such sign up would be manual and require the newsmaster to
> take action.  Though I suspect that's good from an anti-abuse perspective.
>
>> Instead users would use a terminal and telnet or ssh to sign up, then
>> the user/pass would be sent to their email.
>
> I think that enabling terminal access (even if it's not full shell
> access) is asking for miscreants to abuse ssh / telnet / et al.
>
> What's more, if you aren't going to also be providing terminal access
> for reading / posting, think I think you're opening up an attack surface
> just for sing up.  Something that seems questionable in my opinion.

This may be true. But first things first, having a wide open server to
which anyone can post without authenticating is also an attack surface.

How do I configure INN2 to require authentication for all readers
(including origin localhost)? I would like to get that taken care of
first so I can open up a firewall port and test it out. Figuring out my
front end for signups although important, can come later.

--

G.K.