ietf-nntp Multiple AUTHINFOs per session

Ken Murchison ken at oceana.com
Mon Jan 6 06:58:26 PST 2003


Russ Allbery wrote:
> 
> Ken Murchison <ken at oceana.com> writes:
> 
> > Deriving authentication credentials from some out of band channel (TLS,
> > IPsec, ident) is fine, but shouldn't teh client still be required to
> > authenticate via AUTHINFO SASL EXTERNAL in order to use these
> > credentials?
> 
> That defeats the whole point of using out of band channels in some cases,
> since the goal is single sign-on and seamless authentication.  For
> example, at Stanford we use a modified ident responder that establishes
> Kerberos credentials; that exchange happens automatically at the beginning
> of a connection from an off-campus IP address, and if it succeeds the
> client identity is established.
> 
> I don't see what purpose is served in forcing clients to send a command to
> establish authentication when their authentication is already established
> on connect.  Bear in mind that the common case for NNTP is still to
> authenticate by IP address.

Hmm.  Once again I guess I'm not completely up to speed on NNTP
deployment.  So, when using the IP, are you just auth'ing the host?

My understanding of the use of EXTERNAL, is that the client tells the
server to go ahead and use whatever credentials it derived from the out
of band facility, instead of the server automatically using them. 
EXTERNAL also allows for proxying, just like PLAIN, DIGEST-MD5, etc.

If the client is able to override the automatic pre-auth by issuing
AUTHINFO xxx, then I guess its just an matter of semantics.

> 
> > This eliminates any ambiguity.  Based on my experience with SMTP/LMTP
> > and IMAP, if a client doesn't explicity authenticate, then its treated
> > as "anonymous".
> 
> I'm not sure that concept makes a lot of sense on Usenet.  Other than
> fully public servers for particular hierarchies (which isn't the common
> case, although it's growing), there really isn't a notion of anonymous
> users to NNTP servers, but similarly there tends not to be a lot of worry
> at *most* sites about establishing a specific identity.  Instead, some
> precaution is taken to ensure that the user is within a large group of
> authorized users and then it's left at that.
> 
> (This *isn't* true for commercial NSPs as much; they more frequently want
> an actual identity.  I'm thinking about the typical organizational NNTP
> server, or the NNTP server someone runs on their own system.)
> 
> > Of course NNTP seems to be highly allergic to conforming to what has
> > already been done by other protocols.  ;)
> 
> Hm.  I'm not sure I agree, and I'm not sure what you're thinking about.


Most specifically, the previous discussions of SASL syntax and the
current discussion over on ietf-822.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp



More information about the ietf-nntp mailing list