[Mailman-Users] question about authentication
Barry A. Warsaw
barry at digicool.com
Tue May 15 18:34:40 CEST 2001
>>>>> "JR" == John Rudd <jrudd at cats.ucsc.edu> writes:
JR> How do you authenticate that a user is who they say they are
JR> when they're entering subscription requests at the web
JR> interface?
JR> Do you do a mailback for confirmation? (I think this would
JR> actually be a minus, due to the nature of our users)
Currently, yes it is a mailback confirmation, although this is
somewhat configurable. The list owner can chose to do 1) mailback, 2)
admin approval, 3) both.
JR> Do you provide a password mechanism to avoid the mailback? If
JR> so, can it interface with kerberos?
No, however there has been some discussions (both off and on line)
about developing an authentication API so that external mechanisms can
be slotted in. I don't see this happening for Mailman 2.1 though.
JR> I don't know if you're familiar with Athena, Moira, and
JR> Moira's "listmaint" software, but we're looking to replace the
JR> Athena mailing list software with something new, and mailman
JR> sounds promising. I just need a way to authenticate
JR> unsophisticated users... and we tend to use our kerberos realm
JR> more as a distributed password system (that has better
JR> security than NIS) than as an ultra-secure authentication
JR> system.
Cool. I think that if you weren't too adverse to a bit of Python
hacking, you could hook Mailman into your Kerberos system. It'd be a
hack for now, but hopefully that would help get some experience in
what the right mechanisms should ultimately look like.
-Barry
More information about the Mailman-Users
mailing list