crs@convex.cl.msu.edu (Charles Severance (System Manager)) (11/21/90)
Brad Smith writes: > Are the NNTP people working on a way so that you can restrict a news > group to certain people (on certain machines)? If not can we get > it started? I would be willing to help if needed. Brad, We at Michigan State University are slowly working on several enhancements to news services, most of which are related to security. I would like to get feedback as to which of these might be useful to the general NNTP user comunity and possibly be candidates for general use: This project will extend network news usability in several areas: - NETNEWS Replacement for IBM CMS which uses NNTP (if you don't use an IBM mainframe, this is not very exciting) - NNTP support for secure newsgroups with optional individual access lists for each newsgroup. - Secure versions of the IBM NETNEWS and the UNIX rn to work with the secure newsgroups server. - NNTP code to provide distributed authorization capabilities for the security. This will allow users to have accounts on machines other than the news server and still be authorized. - Code which allows a secure site to get a complete news feed using NNTP efficiently. This project is called NNTPRCV. The intent for replacing NETNEWS on the IBM is to provide nearly the same functionality as the existing NETNEWS. The idea behind secure newsgroups is to allow only a limited number of users view and post certain news groups. There would be an optional access list on every news group which determined the accounts which could access the news group. This works with the distributed authentication below so an entire organization can be authorized without adding a single account to the news server. This feature does not require the distributed authentication howerver. NNTP 1.5.10 has an authentication mechanism which is primarily used to limit the ability of a user to read or post news on the server. Unfortunately the current implementation of the security requires that every user authorized to post news have an account on the server. Here at MSU this is silly because our server is a special purpose news-only machine and there is no reason to provide 80000 accounts on the machine just for authorization for news. This effectively makes the NNTP 1.5.10 scheme for authorization useless. We have added a new scheme which allows people to have access if they have an account on any of a list of designated machines. This scheme is called XAUTH and requires a distributed authentication daemon to be run on each of the authorized hosts. We have a completed authentication daemon for UNIX and work has started on an authentication daemons for IBM CMS and VAX VMS. These projects are all in various levels of completeness. We will be putting a big push on Between December and January to bring all of these projects up to Beta test level. Sometime in January, we intend to begin internal Beta testing all of these projects. Based on the results of the next several months of development and testing, we will decide if we will make these services available to the MSU community. Unfortunately if the people who control NNTP development will not adopt these features, it becomes very costly to maintain them with each succeeding release of NNTP and we may decide that the ongoing development ocst is too great. I would like to hear from users who might be interested in any of these projects. The secure nntp feed software and the distributed authentication code are nearly ready for Beta use. -- Charles Severance internet: crs@convex.cl.msu.edu Michigan State University phone: (517) 353-2984 301 Computer Center fax: (517) 353-9847 East Lansing, MI 48824 bitnet: 20095CRS@MSU
sob@tmc.edu (Stan Barber) (11/23/90)
The AUTH mechanism in NNTP 1.5.10 is there to illustrate the capabilities of the mechanism, not to be the definitive WAY to do such authenitication. NNTPv2 will have AUTH as part of the specification. As the current NNTP curator, I am happy to see developments in this area, but I'd like to encourage any work to be done withing the NNTPv2 spec. That spec should be out as an RFC real soon now. My plans are to have an NNTPv2 implementaion out early next year and no later than summer. -- Stan internet: sob@bcm.tmc.edu Director, Networking Olan uucp: {rutgers,mailrus}!bcm!sob and Systems Support Barber Opinions expressed are only mine. Baylor College of Medicine