Index
This page describes how our setup works so that you can understand how the functions we provide for password authentication and IP-to-username resolution work.
This is really straightforward. Our news machines and user hosts don't use the same password files. We don't think they should ever have to use the same password files. However, users should be able to login to the news machines from machines we don't know we can trust, and verify their identity through the use of the same passwords. So, we mirror the user password file to a different directory on the news hosts (the directory and the file are only readable by news), and defined a function (invoked by the name "PW" in the third field in nnrp.access) to open the filename passed to it and search for the username in this file. It crypt(3)'s the password given it and compares it with the password associated with the user in the file. If they differ, return an error code. Just like login, but with a different password file.
We have now added code which will search through a database for the username, which should be much nicer for large sites. It is invoked by keyword "DB" with a filename.
All of our users connecting via PPP have hostnames of the form
On our user hosts, we are running a version of identd which will send an encrypted reply to the news server if the user has a .noident file in their home directory, and otherwise send the un-encrypted username.