[Mailman-Users] question about authentication

[Barry A. Warsaw]

>>>>> "JR" == John Rudd <jrudd at cats.ucsc.edu> writes:

    JR> How do you authenticate that a user is who they say they are
    JR> when they're entering subscription requests at the web
    JR> interface?

    JR> Do you do a mailback for confirmation?  (I think this would
    JR> actually be a minus, due to the nature of our users)

Currently, yes it is a mailback confirmation, although this is
somewhat configurable.  The list owner can chose to do 1) mailback, 2)
admin approval, 3) both.

    JR> Do you provide a password mechanism to avoid the mailback?  If
    JR> so, can it interface with kerberos?

No, however there has been some discussions (both off and on line)
about developing an authentication API so that external mechanisms can
be slotted in.  I don't see this happening for Mailman 2.1 though.

    JR> I don't know if you're familiar with Athena, Moira, and
    JR> Moira's "listmaint" software, but we're looking to replace the
    JR> Athena mailing list software with something new, and mailman
    JR> sounds promising.  I just need a way to authenticate
    JR> unsophisticated users... and we tend to use our kerberos realm
    JR> more as a distributed password system (that has better
    JR> security than NIS) than as an ultra-secure authentication
    JR> system.

Cool.  I think that if you weren't too adverse to a bit of Python
hacking, you could hook Mailman into your Kerberos system.  It'd be a
hack for now, but hopefully that would help get some experience in
what the right mechanisms should ultimately look like.

-Barry