AUTHENTICATION OF USENET GROUP CHANGES This document addresses a method for the authentication of the special types of Usenet articles that are used to maintain the namespace of Usenet groups. A basic familiarity with what the Usenet control message types "newgroup", "rmgroup" and "checkgroups" do is assumed; this is not a tutorial in namespace administration. Usenet articles are notoriously easy to forge, and control messages are no exception. Since administrators often want to have their news systems automatically honor requests from some particular people to add or remove newsgroups, it is risky to trust the From: and Sender: headers to identify the real sender of a message, as has historically been done. Thus a system using Philip Zimmerman's Pretty Good Privacy(tm) (PGP (tm)) was developed to provide a more secure means of authenticating the sender of a control message. Unlike traditional PGP authentication of messages, which just verifies that the contents of the body of a message are unchanged from when it was digitally "signed", this system also needed to sign a few headers of the control message to verify the action to be taken and to guard against certain other pitfalls. Another goal was to make the signature as unobtrusive as possible and require minimal changes to existing software in order to work. How to Verify Control Messages Listed below are the steps you need to take to enable PGP authentication of control messages on your system. Here is the short and simple version for someone who feels confident hacking around the news system and doesn't like to read a lot: 1. Get and configure the software: + ftp://ftp.isc.org/pub/pgpcontrol/pgpverify + ftp://ftp.isc.org/pub/pgpcontrol/server-patches/ 2. Add maintainers' PGP public keys to the news system key ring. 3. Enable verification through the news system authorization system. INN: Use the action verify-pgp_userid (possibly appended =logfile) in control.ctl. C News: Use the action "p" in the fourth field of controlperm followed by a suitable pgp_userid in the fifth field. D News: Use the action "doit,pgp" in control.conf. ANU News: Use the "HELP ADD FILE PGP_verification" ANU command. Other systems: Sorry, not implemented yet. 4. Test pgpverify. If you have the news.announce.newgroups key in your key ring, run ftp://ftp.isc.org/pub/pgpcontrol/sample.control through pgpverify on stdin. It should spit out the string "news.announce.newgroups" on stdout. Here is a more verbose version of the instructions: 1. Get the software. There are two pieces of code that will need to be added to a news server to make use of this authentication system: a stand-alone script that verifies an article is what it says it is, and a patch to hook it into the news server's processing of control messages. The stand-alone program, ftp://ftp.isc.org/pub//pgpcontrol/pgpverify, is a Perl script that should work with Perl version 4 and up. (I have not tested it with earlier versions.) It does not contain any code making it dependent on any particular news server software. ftp://ftp.isc.org/pub/pgpcontrol/server-patches/ has patches for hooking the system into existing news server software. Choose the one for your system from the list below. + INN version 1.4sec + INN version 1.4unoff4 + C News version CR.G (Courtesy of System Administrator and Charles Lindsey ) Newer versions of INN (since 1.5), D News and ANU News (since 6.2.0) do not need to be patched, as they ship with built-in handling for pgp verification. You can therefore skip past the "Install it on your news system" section to "Enable verification for the hierarchies that interest you". I recommend that you upgrade to INN 1.5.1sec if you are running any prior INN version, because it has a few important security problems fixed. I regret that I do not have the time to develop more patches, but I will gladly add patches for other systems to this page as they are made available to me. The INN version 1.4sec patch will apply to all INN "unoff" versions, albeit with a little bit of fuzz. I am not positive what versions of C News will work with the C News CR.G patch; if you try it with C News CR.E, please let me know how it goes. 2. Install it in your news system. First you must ensure that the absolute paths to perl and to pgp are correct in the first few lines of the pgpverify program. No other configuration of options or pathnames should be needed. Next, the following steps assume, solely for the sake of making it easy for me to write a simple recipe, that you have copied pgpverify and the patch for your system to your news server as /tmp/pgpverify and /tmp/pgpcontrol.pch respectively. I have tried to format this so that you should be able to cut and paste any of the lines in italics directly to your shell. (Sorry, the italics won't show up in the plain text version of this document. Commands versus comments should still be pretty well obvious.) + If you are running INN: cd to the executable program directory that has ctlinnd. mv /tmp/pgpverify pgpverify cd to the root of your INN source tree. cd site patch , aka tale@uunet.uu.net, the author of this document) to manage groups in the "Big 8" hierarchies, you could have lines like these (but don't use the backslash continuation, which I have used here for readability; keep it all on one line): newgroup:group-admin@isc.org:\ comp.*|humanities.*|misc.*|news.*|rec.*|sci.*|soc.*|talk.*:\ verify-news.announce.newgroups rmgroup:group-admin@isc.org:\ comp.*|humanities.*|misc.*|news.*|rec.*|sci.*|soc.*|talk.*:\ verify-news.announce.newgroups checkgroups:group-admin@isc.org:\ comp.*|humanities.*|misc.*|news.*|rec.*|sci.*|soc.*|talk.*:\ verify-news.announce.newgroups Additionally, if you like the logging feature available with the action doit=logfile, you can get the same logging by using verify-pgp_userid=logfile. + If you are running C News: Automatic processing of control messages is handled by controlperm, which you edit in the subdirectory where you patched the control message handling scripts. There is a controlperm(5) manual page that describes its format. To enable PGP verification in addition to the normal authorization done by controlperm, use the action "p" in the fourth field instead of "y" and add a fifth field for the pgp_userid. For example, if you trust group-admin@isc.org (currently David Lawrence , aka tale@uunet.uu.net, the author of this document) to manage groups in the "Big 8" hierarchies, you could have lines like these (but don't use the backslash continuation, which I have used here for readability; keep it all on one line): comp,sci,misc,news,rec,soc,talk group-admin@isc.org nrc pv \ news.announce.newgroups You could then remove the line that follows the comment, "but his name can be forged, so don't let him rmgroup..." + If you are running D News: Automatic processing of control messages is handled by control.conf. To enable PGP verification in addition to the normal authorization done by control.conf, use the action "pgp" in the fourth field, in addition to whatever action you want to happen. For example, if you trust group-admin@isc.org (currently David Lawrence , aka tale@uunet.uu.net, the author of this document) to manage groups in the "Big 8" hierarchies, you could have lines like these (but don't use the backslash continuation, which I have used here for readability; keep it all on one line): newgroup:group-admin@isc.org:\ comp.*,misc.*,news.*,rec.*,sci.*,soc.*,talk.*:doit,pgp rmgroup:group-admin@isc.org:\ omp.*,misc.*,news.*,rec.*,sci.*,soc.*,talk.*:doit,pgp checkgroups:group-admin@isc.org:\ comp.*,misc.*,news.*,rec.*,sci.*,soc.*,talk.*:doit,pgp Note that there is no provision, with the current D News implementation, for checking that the signature matches a particular string, just that it it has a valid signature. This is probably adequate security as long as you keep the news user's PGP key ring limited only to people you trust to maintain newsgroup hierarchies. Finally, if you have not installed pgp on your system in a directory where D News normally looks for auxiliary programs, you will need to add a pointer to it in dnews.conf, like this: pgp /path/to/pgp See http://www.netwinsite.com/pgp.htm for documentation by the D News authors that might supersede this document. + If you are running ANU News (V6.2.0 or later): Instructions will (hopefully) soon appear here. In the meantime, consult the "HELP ADD FILE PGP_verification" server command. + If you are running some other system: You're out of luck until someone writes a patch and instructions for your system and makes it available to me for redistribution. 4. Test the system. Get ftp://ftp.isc.org/pub/pgpcontrol/sample.control and save it to a file on your system; /tmp/sample.control will be used for this example. You'll use it to make sure things will work as expected. To verify the control message, you will need the key for news.announce.newgroups and authorization in your news system for group-admin@isc.org to automatically perform "newgroup". Go ahead and enable it for the test even if you don't want to really allow this, because it is easy enough to rescind after the test by editing the control message authorization file and removing the key with pgp -kr news.announce.newgroups. You can check that the pgpverify part of the system will work properly simply by feeding it the sample control message on stdin: pgpverify < /tmp/sample.control If if could run pgp and find the correct key in the default key ring, the string news.announce.newgroups should be printed. The exit status of the script, found in most shells with the command echo $? as the next command after pgpverify, should be 0 (zero). If it doesn't work, then pgpverify -test < /tmp/sample.control might give you some enlightment. It will print out the input that is used for pgp (which is a reconstructed version of the input that supposedly created the control message) as well as the output of PGP's analysis of the message. Look especially closely at the latter, since it can give you important information such as which keyring is being used. If it still doesn't work and you've tried and tried to figure out why, email me at tale@isc.org a complete description of the problem you are having and how you have tried to remedy it. At a bare minimum, your mail should include a copy of the message you are trying to verify, a typescript of the attempted execution of pgpverify -test, and the output of pgp -kc and pgp -kvc news.announce.newgroups. When pgpverify passes its test, use the appropriate procedure below for you news server to verify the authorization system. + If you are running INN: First, cd to the directory where parsecontrol is installed. Then execute the following four lines, in order, as the user who owns the news system: /bin/sh PROG=newgroup set -- group-admin@isc.org "" /tmp/sample.control (. ./parsecontrol "$@"; echo $ACTION) If the message verified correctly, the echo command should output doit; otherwise, verification failed and the output should be mail. Edit /tmp/sample.control and change all occurences of "newusers" to "newgroups". Then repeat the parsecontrol and echo lines. This time verification should fail. + If you are running C News: Because of the way C News is implemented, I have not taken the trouble to find out how it can be tested without running through the whole newgroup script. If you are testing with sample.control, I think this should let you know whether things will work: newsflag news.announce.newusers y newgroup news.announce.newusers moderated