ietf-nntp Server response length limits
Russ Allbery
rra at stanford.edu
Wed Mar 13 12:18:08 PST 2002
Andrew Gierth <andrew at erlenstar.demon.co.uk> writes:
> Is there any likelyhood of a SASL scheme showing up that allows for
> third-party authentication via an existing protocol? (RADIUS, for
> example) This would require a scheme in which the server obtains the
> actual plaintext password, which of course widens the scope of attacks,
> but unless something like this becomes available then
> plaintext-on-the-wire is going to remain the rule rather than the
> exception.
SASL PLAIN. See RFC 2595. What the server then does with the cleartext
password is entirely up to the server, and could involve something like
RADIUS authentication.
Obviously, you ideally want to use SSL if you're going to use the PLAIN
SASL mechanism, and at some point NNTP should probably acquire a STARTTLS
command.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list