ietf-nntp Multiple Authentications, personal opinon

Jeffrey M. Vinocur jeff at litech.org
Tue Jan 7 17:20:50 PST 2003 

On Tue, 7 Jan 2003, Juergen Helbing wrote:

> This is not done intentionally but simply because the authinfo command
> is not blocked after a sucessful auth.

Yes, this is a side-effect of some server implementations, and
difficult to do in other implementations.


> What I saw already on Usenet was that a host required authentication
> WITHIN a session when a binary group was selected:

That's what the 480 return code is for, after all.


> There is one thing I have not understood yet:
> It seems that a special kind of secure authentication is discussed
> here - and I'm wondering how to write a news-client which does not
> know whether the host permits (or requires) secure auth:

*blink*  From draft-ietf-nntpext-base-15.txt:

          8.1  LIST EXTENSIONS

             The LIST EXTENSIONS command allows a client to determine
             which extensions are supported by the server. This command
             MUST be implemented by any server that implements any
             extensions defined in this memo. This command is not
             streamable.

             To discover what extensions are available, an NNTP client
             SHOULD query the server early in the session for extensions
             information by issuing the LIST EXTENSIONS command. [...]


> In such cases the client must try both types of auth (at least once to
> find out which one the host wants). This could be done - of course -
> in a second attempt to reconnect - but this is not very funny.

A client can use the LIST EXTENSIONS command as defined above.  
Additionally, if you read what I posted in the newsgroup yesterday:

        That is, after a successful AUTHINFO, should the client be
        permitted to issue AUTHINFO again.

and note the word "successful" you will realize that even without LIST 
EXTENSIONS the problem you describe will not occur.


> These servers have limitations for the number of concurrent users -
> and sometimes farms permit connect but have strange reply code when an
> article should be retrieved as:  "480 already connect to two other
> hosts).....

I don't think that's an appropriate response code there, by any means.  
Perhaps 403 would be a better choice?

(By the way, does the server then close the connection, or leave it open?)


> So I personally would be carefully to _forbid_ something if it not
> strictly necessary for secure auth....

See posts in the past week.


> Please apologize if these things have been already discussed.
> I did not read the list seriously in the last few weeks.

(It would be polite, in such cases, to read the archives for this 
particular issue.)

-- 
Jeffrey M. Vinocur
jeff at litech.org

More information about the ietf-nntp mailing list