ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?
Russ Allbery
rra at stanford.edu
Tue Sep 9 22:35:07 PDT 2003
Jeffrey M Vinocur <jeff at litech.org> writes:
> On Tue, 9 Sep 2003, Russ Allbery wrote:
>> Ah, I see... SASL PLAIN authentication sends the password on the first
>> pass. Hm. That's actually pretty annoying; I like AUTHINFO a lot
>> better since it allows the server to abort the authentication without
>> exposing the password if something is wrong with the user.
> Well, the initial response is always optional, so in principle it's not
> a protocol problem per se. (Not that we can't point it out in the SASL
> writeup, though.)
It's probably not really a big deal. It just surprises me. (I'm not sure
that it generalizes into a statement about always using LIST EXTENSIONS
everywhere, but it's certainly a good argument for using it before
AUTHINFO SASL PLAIN and probably AUTHINFO SASL in general since who knows
what other information leakage there may be in other SASL mechs... and
since AUTHINFO SIMPLE has the same problem, AUTHINFO in general. But I'm
not sure it goes beyond that.)
> But with AUTHINFO USER/PASS, you don't get unknown user errors at all,
> at least with nnrpd:
> 200 news.litech.org InterNetNews NNRP server INN 2.5.0 (20030713 CVS prerelease) ready (posting ok).
> AUTHINFO USER zzzzzzzzzzzzz
> 381 PASS required
> AUTHINFO PASS mysecretgoeshere
Yeah, and that's something of an implementation flaw (nnrpd doesn't know
the valid username set in advance and theoretically could), but at least
the protocol does allow for nicer behavior.
But since people don't implement it, it's probably irrelevant. No one's
been screaming about this over the history of NNTP, so I'm probably
jumping at shadows.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list