>>>>> "Christophe" == Christophe Kalt <kalt@xxxxxxxxxxx> writes:
Christophe> currently, ircd supports
Christophe> o 2 methods for authentication: DNS (for the hostname)
Christophe> and identd (for the username). o 2 methods for access
Christophe> control: K (very flexible, but works based on user@host
Christophe> only), and R lines (better, but blocking!).
You left out I-lines (and Y-lines for connection limits). :)
Christophe> I'm interested in hearing from people who would need
Christophe> other authentication mechanisms (what is it? public?
Christophe> homebrewed? ..) In particular, I'd like to hear from
Christophe> people currently using R lines.
While R-lines are extremely useful, I know in our situation the
overhead of a process being fork()ed off with each connection is quite
high -- web servers that fork off a process for each connection deal
with this in a variety of ways, including pre-forking (but then the
fork()ed process has to be special and can't just be any old process).
It would be much nicer to have a sibling process that was used for
this kind of authentication -- rather than invoke the same process
over and over for each connection, it would make more sense to have a
single process that was asked about each connection.
It could be possible to use/extend the existing SERVICE features of
ircd for this kind of thing, which would be kind of nice/neat and
allow authentication to be done on a separate machine. An alternative
might be to modify the semantics of the R-line to allow for a single
process.
Eventually it might even be possible to replace I/Y/K/R lines (in
terms of user-authentication and access-control) with this single
sibling process. This would have the advantage of shifting policies
out of the ircd and into what could become a separate "management"
module. It would have the disadvantage of problems if the process
died, and that policy wouldn't be as readily available via /stats
(although that's currently true for policy implemented via R-lines
anyway).
Anyway, that's a just a little feedback with a few ideas (not
necessarily great ones:) thrown in. As always, discussion welcome (and
encouraged).
- Andrew "Earthpig" Snare
--
#!/usr/bin/env python
print(lambda s:s+"("+`s`+")")\
('#!/usr/bin/env python\012print(lambda s:s+"("+`s`+")")\\\012')
print(lambda x:x%`x`)('print(lambda x:x%%`x`)(%s)')
Attachment:
pgp00006.pgp
Description: PGP signature