[ietf-nntp] Re: I-D ACTION:draft-ietf-nntpext-authinfo-00.txt
Russ Allbery
rra at stanford.edu
Mon May 17 03:24:13 PDT 2004
Jeffrey M Vinocur <jeff at litech.org> writes:
> On Mon, 10 May 2004, Ken Murchison wrote:
>> Peter Robinson wrote:
>>> This 'username only' authentication is interesting functionality. Is
>>> it in use at all? In principle it's just as secure as AUTHINFO
>>> USER+PASS if combined with encryption, but if the client thinks of the
>>> AUTHINFO USER parameter as a username rather than a password, it might
>>> store it in logs in the clear and echo it on screen etc. which would
>>> be bad. This functionality does complicate things a little. Can it
>>> be dropped?
>> I agree. This is crufty behavior and if there isn't a compelling
>> reason for it, we should remove it.
> I have seen this behavior used in existing practice. In particular, if
> there's an out-of-band authentication mechanism (e.g. one like "identd"
> or certain kerberos implementations where the server queries back via a
> new TCP connection to the original host), the client sends AUTHINFO USER
> in order to suggest to the server which username it expects. Certainly
> this behavior is now better done with SASL, but that's true of all of
> AUTHINFO USER; thus I think the above is not a compelling reason to
> remove the 281-without-password.
What servers actually support this? Is this something people have hacked
into INN specifically for this purpose, or is there a server that doesn't
return 381?
It's very hard-coded in INN:
if (strcasecmp(av[1], "user") == 0) {
strlcpy(User, av[2], sizeof(User));
Reply("%d PASS required\r\n", NNTP_AUTH_NEXT_VAL);
return;
}
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list