>>>>> "Christophe" == Christophe Kalt <kalt@xxxxxxxxxxx> writes: Christophe> currently, ircd supports Christophe> o 2 methods for authentication: DNS (for the hostname) Christophe> and identd (for the username). o 2 methods for access Christophe> control: K (very flexible, but works based on user@host Christophe> only), and R lines (better, but blocking!). You left out I-lines (and Y-lines for connection limits). :) Christophe> I'm interested in hearing from people who would need Christophe> other authentication mechanisms (what is it? public? Christophe> homebrewed? ..) In particular, I'd like to hear from Christophe> people currently using R lines. While R-lines are extremely useful, I know in our situation the overhead of a process being fork()ed off with each connection is quite high -- web servers that fork off a process for each connection deal with this in a variety of ways, including pre-forking (but then the fork()ed process has to be special and can't just be any old process). It would be much nicer to have a sibling process that was used for this kind of authentication -- rather than invoke the same process over and over for each connection, it would make more sense to have a single process that was asked about each connection. It could be possible to use/extend the existing SERVICE features of ircd for this kind of thing, which would be kind of nice/neat and allow authentication to be done on a separate machine. An alternative might be to modify the semantics of the R-line to allow for a single process. Eventually it might even be possible to replace I/Y/K/R lines (in terms of user-authentication and access-control) with this single sibling process. This would have the advantage of shifting policies out of the ircd and into what could become a separate "management" module. It would have the disadvantage of problems if the process died, and that policy wouldn't be as readily available via /stats (although that's currently true for policy implemented via R-lines anyway). Anyway, that's a just a little feedback with a few ideas (not necessarily great ones:) thrown in. As always, discussion welcome (and encouraged). - Andrew "Earthpig" Snare -- #!/usr/bin/env python print(lambda s:s+"("+`s`+")")\ ('#!/usr/bin/env python\012print(lambda s:s+"("+`s`+")")\\\012') print(lambda x:x%`x`)('print(lambda x:x%%`x`)(%s)')
Attachment:
pgp00006.pgp
Description: PGP signature