ietf-nntp Multiple AUTHINFOs per session

Jeffrey M. Vinocur jeff at litech.org
Sun Jan 5 19:44:58 PST 2003 

On Sun, 5 Jan 2003, Ken Murchison wrote:

> "Jeffrey M. Vinocur" wrote:
> > 
> > On 6 Jan 2003, Andrew Gierth wrote:
> > 
> > > in many cases it's awkward to actually change the credentials
> > > associated with the session.
> > 
> > I can imagine this in some implementations.
> 
> How would this be used?

Well, not very much, most likely :-)


> And couldn't this been done by creating a new session?

Yes.


> Deriving authentication credentials from some out of band channel (TLS,
> IPsec, ident) is fine, but shouldn't teh client still be required to
> authenticate via AUTHINFO SASL EXTERNAL in order to use these
> credentials?  

Hard to say -- for example, one of the INN resolvers determines "username" 
by doing a DNS lookup on the incoming IP address and taking the domain 
part as the identity.  Where do you draw the line?

But anyway, yes, a conforming client should use the EXTERNAL mechanism to 
indicate such things.  And I wish we only had to worry about conforming 
clients.

However, I don't think we'll ever be rid of legacy clients, and we most 
certainly can't drop support for them now.  So the issue remains open for 
discussion.



> This eliminates any ambiguity.  Based on my experience
> with SMTP/LMTP and IMAP, if a client doesn't explicity authenticate,
> then its treated as "anonymous".

Well, in practice, servers need a lot more granularity than "anonymous" to
determine access before authentication.  (For example, what I have
configured right now is approximately:  if the host is trusted, attempt
ident query as some users have extended or restricted access; if that
fails, permit trusted hosts a moderate degree of read access; if a user
attempts to authenticate check against a password file but if the
connection is encrypted, check against the system user database first; if
all that fails permit read access to the local test group.)


> Of course NNTP seems to be highly allergic to conforming to what has
> already been done by other protocols.  ;)

So much history, so much inertia, and no magic wand.

-- 
Jeffrey M. Vinocur
jeff at litech.org

More information about the ietf-nntp mailing list