At 11:06 AM 11/3/00 +0100, you wrote:
>Despite your efforts I still cannot get this to work properly.
>Below you find my settings and the resulting errormessage.
>
>Settings in access.conf:
>*:logoff:::*
>127.0.0.1:read,post:$lookup$:$lookup$:*:
>
>Settings in dnewsweb.ini:
>default_user webuser
>tellnews_pass ????????
>
>Settings in users.dat:
>admin:XXXXXXX:Full:*::*
>webuser:password:None:*::
>
>This results in the following errormessage when connecting:
>News host authentication failed: 502 Please modify your client to use SSL
>{sestow1099}, Goodbye
>(nntp_logoff message)
>
>
>What do you suggest for my next step in solving this?
Ok, remove tellnews_pass from dnewsweb.ini, and add to
the END of access.conf
sestow1099:read,post:::*
If that isn;t the ip number of your web server, then add another line with
the ip number of your web server, then it should work, bascially you need
to open a peak hole so that just the web server can get in on port 119
ChrisP.
>Regards,
>Erik Alsmyr
>
>"Support PN" <[EMAIL PROTECTED]> wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > [EMAIL PROTECTED] wrote:
> > >
> > > I have done what you specify in your answer below. The following is now
>my
> > > problem:
> > >
> > > I cannot allow users from 127.0.0.1 in access.conf to read and write
>without
> > > authentication since sslwrap talks to DNEWS from this IP. This would
>allow
> > > annonymous access when going through sslwrap.
> > >
> > > So, I put "127.0.0.1:read,post:$lookup$:$lookup$:*:" as my only access
>rule
> > > in access.conf. This prompts ssl users for password when conecting. All
>is
> > > well.
> > >
> > > When using the DnewsWeb interface however, the users authenticate with
>the
> > > IIS on my server and after this is free to use DnewsWeb without
> > > authenticating once again against DNEWS, this providing a single login
>to
> > > the entire system. I guess that DnewsWeb talks to DNEWS in tha same
>manner
> > > as sslwrap (from127.0.0.1) because now I get prompted for username and
> > > password when accessing.
> > >
> > > Can this be solved by configurating DnewsWeb to submit a username and
> > > password automatically? This user will exist only on the server and
>noone
> > > will notice beeing loged in as it (I do not use personilized features in
> > > dnewsweb).
> >
> > I believe you can do this in dnewsweb.ini by adding the following
> > settings...
> >
> > default_user webuser
> > tellnews_pass xxxxx
> >
> > Where xxxxx is the contents of your tellnews.pass file from the DNews
> > workarea
> > directory and webuser is the username you want DNewsweb to login to
> > DNews by
> > default as. Of course you'll need to define that user with a line in
> > users.dat.
> >
> > webuser:password:None:*::
> >
> > Let us know if you have any trouble getting this to work.
> >
> > Regards,
> > Brian
> > --------------------------------------------------------------
> > Note: If you are using Dnewsweb version prior to 5.4f3 we recommend
> > you upgrade due to a potential security issue found in those versions.
> >
> > Customer Support (private) -- [EMAIL PROTECTED]
> > Mailing list Support (public) -- [EMAIL PROTECTED]
> > Online Manual -- http://netwinsite.com/dnews/manual.htm
> > Netwinsite search engine -- http://www.netwinsite.com/find.htm
> > Online FAQ -- http://netwinsite.com/dnews/faq.htm
> > Mailing list archive --
> > http://www.netwinsite.com/cgi/dnewsweb.cgi?cmd=xover&group=netwin.dnews
> > ftp://ftp.netwinsite.com/pub/netwinsite
> > Note: To UNSUBSCRIBE from the dnews mailing list send
> > to [EMAIL PROTECTED] a message with the body
> > containing one line, unsubscribe
> > To post to the mailing list send to [EMAIL PROTECTED]
> >
> >
> >
> > >
> > > Best regards,
> > > Erik Alsmyr
> > >
> > > "> >3. The DNEWs server still answers on port 119. This allows uers to
>login
> > > > >with the password unencrypted if they didn't follow the instructions
>to
> > > > >change their client to use SSL. Can I make DNEWS send a customized
> > > > >errormessage on port 119 before asking for password athentication? If
>not
> > > > >can I prevent DNEWS from answering on port 119?
> > > >
> > > > yes sort of, add to dnews.conf
> > > > nntp_logoff Please modify your client to use SSL
> > > > And in access.conf add:
> > > > *:logoff:::*
> > > > 127.0.01:read,post:::*
> > > > I think that will do the trick, basically their is a fault in the ssl
> > > > wraping in that
> > > > the connections appear to come from the local host, and you can
>exploit
> > > that
> > > > to refuse connections that don't come from the local host. The down
>side
> > > > is you really need to use user/passwords for access control as ip
> > > addresses
> > > > are not applied in access.conf correctly.
> > > >
> > > > ChrisP.
