ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?
Jeffrey M. Vinocur
jeff at litech.org
Tue Sep 9 22:26:49 PDT 2003
On Tue, 9 Sep 2003, Russ Allbery wrote:
> Ah, I see... SASL PLAIN authentication sends the password on the first
> pass. Hm. That's actually pretty annoying; I like AUTHINFO a lot better
> since it allows the server to abort the authentication without exposing
> the password if something is wrong with the user.
Well, the initial response is always optional, so in principle it's not a
protocol problem per se. (Not that we can't point it out in the SASL
writeup, though.)
> Clients using SASL PLAIN can authenticate to the wrong server and hence
> give away their password rather than just getting an unknown user error.
But with AUTHINFO USER/PASS, you don't get unknown user errors at all, at
least with nnrpd:
200 news.litech.org InterNetNews NNRP server INN 2.5.0 (20030713 CVS prerelease) ready (posting ok).
AUTHINFO USER zzzzzzzzzzzzz
381 PASS required
AUTHINFO PASS mysecretgoeshere
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the ietf-nntp
mailing list