ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?

Jeffrey M. Vinocur jeff at litech.org
Tue Sep 9 22:26:49 PDT 2003


On Tue, 9 Sep 2003, Russ Allbery wrote:

> Ah, I see... SASL PLAIN authentication sends the password on the first
> pass.  Hm.  That's actually pretty annoying; I like AUTHINFO a lot better
> since it allows the server to abort the authentication without exposing
> the password if something is wrong with the user.

Well, the initial response is always optional, so in principle it's not a 
protocol problem per se.  (Not that we can't point it out in the SASL 
writeup, though.)


> Clients using SASL PLAIN can authenticate to the wrong server and hence
> give away their password rather than just getting an unknown user error.

But with AUTHINFO USER/PASS, you don't get unknown user errors at all, at 
least with nnrpd:

200 news.litech.org InterNetNews NNRP server INN 2.5.0 (20030713 CVS prerelease) ready (posting ok).
AUTHINFO USER zzzzzzzzzzzzz
381 PASS required
AUTHINFO PASS mysecretgoeshere


-- 
Jeffrey M. Vinocur
jeff at litech.org




More information about the ietf-nntp mailing list