From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/12867 Path: main.gmane.org!not-for-mail From: Wes Hardaker Newsgroups: gmane.emacs.gnus.general Subject: authentication in gnus technically not perfect Date: 20 Nov 1997 10:32:41 -0800 Organization: U.C. Davis, Information Technology Message-ID: NNTP-Posting-Host: coloc-standby.netfonds.no Mime-Version: 1.0 (generated by tm-edit 7.106) Content-Type: text/plain; charset=US-ASCII X-Trace: main.gmane.org 1035152329 6106 80.91.224.250 (20 Oct 2002 22:18:49 GMT) X-Complaints-To: usenet@main.gmane.org NNTP-Posting-Date: Sun, 20 Oct 2002 22:18:49 +0000 (UTC) Return-Path: Original-Received: from xemacs.org (xemacs.cs.uiuc.edu [128.174.252.16]) by altair.xemacs.org (8.8.8/8.8.8) with ESMTP id MAA28319 for ; Thu, 20 Nov 1997 12:15:09 -0800 Original-Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by xemacs.org (8.8.5/8.8.5) with ESMTP id OAA09278 for ; Thu, 20 Nov 1997 14:15:22 -0600 (CST) Original-Received: from claymore.vcinet.com (claymore.vcinet.com [208.205.12.23]) by ifi.uio.no (8.8.7/8.8.7/ifi0.2) with SMTP id TAA22142 for ; Thu, 20 Nov 1997 19:35:45 +0100 (MET) Original-Received: (qmail 3822 invoked by uid 504); 20 Nov 1997 18:35:41 -0000 Original-Received: (qmail 3819 invoked from network); 20 Nov 1997 18:35:38 -0000 Original-Received: from n8-103-207.thegrid.net (hardaker@209.60.103.207) by claymore.vcinet.com with SMTP; 20 Nov 1997 18:35:37 -0000 Original-Received: (from hardaker@localhost) by n8-103-207.thegrid.net (8.8.6/8.8.6) id KAA01266; Thu, 20 Nov 1997 10:32:41 -0800 Original-To: ding@gnus.org X-Face: #qW^}a%m*T^{A:Cp}$R\"38+d}41-Z}uU8,r%F#c#s:~Nzp0G9](s?,K49KJ]s"*7gvRgA SrAvQc4@/}L7Qc=w{)]ACO\R{LF@S{pXfojjjGg6c;q6{~C}CxC^^&~(F]`1W)%9j/iS/ IM",B1M.?{w8ckLTYD'`|kTr\i\cgY)P4 X-url: http://www-sphys.unil.ch/~whardake Original-Lines: 50 X-Mailer: Quassia Gnus v0.13/XEmacs 19.15 Xref: main.gmane.org gmane.emacs.gnus.general:12867 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:12867 (warn "Wes is being annoying having just read something") >>From http://www.mibsoftware.com/userkt/nntpext/0032.htm: When authorization is required, the server will send a 480 response requesting authorization from the client. The client must enter AUTHINFO USER followed by the username. Once sent, the server will cache the username and may send a 381 response requesting the password associated with that username. Should the server request a password using the 381 respose, the client must enter AUTHINFO PASS followed by a password and the server will then check the authentication database to see if the username/password combination is valid. If the combination is valid or if no password is required, the server will return a 281 response. The client should then retry the original command to which the server responded with the 480 response. The command should then be processed by the server normally. If the combination is not valid, the server will return a 502 response. Ok... Background: I'm starting a project to implement a specific type of authentication in a news server. All I need is the user name, so I was looking up the protocols to see if the password was required by the protocol, or if it can just accept the user name and not require the user's agent to supply the password. I was happy to see the above, but didn't know what user agent's typically did, so I headed for the source for gnus (of course) to find: (defun nntp-send-authinfo () "Send the AUTHINFO to the nntp server. This function is supposed to be called from `nntp-server-opened-hook'. It will prompt for a password." (nntp-send-command "^.*\r?\n" "AUTHINFO USER" (user-login-name)) (nntp-send-command "^.*\r?\n" "AUTHINFO PASS" (nnmail-read-passwd (format "NNTP (%s) password: " nntp-address)))) IE, it auto-sends the password even if a 381 is never received. Now, this is not a big deal of course, I just thought I'd mention it. Technically there should be two functions, one for user and one for password (ick). The reason I don't want a password is that its sent in clear text, which I'm trying to avoid so I have another method of associating an IP address with a user name, and if they match, thats close enough for government work. In fact, if they do suply a password, I'm going to have an auto-yeller installed :-) -- "Ninjas aren't dangerous. They're more afraid of you than you are of them."