authentication in gnus technically not perfect

authentication in gnus technically not perfect

[Wes Hardaker]

(warn "Wes is being annoying having just read something")

>From http://www.mibsoftware.com/userkt/nntpext/0032.htm:

    When authorization is required, the server will send a 480
    response requesting authorization from the client. The client must
    enter AUTHINFO USER followed by the username.  Once sent, the
    server will cache the username and may send a 381 response
    requesting the password associated with that username. Should the
    server request a password using the 381 respose, the client must
    enter AUTHINFO PASS followed by a password and the server will
    then check the authentication database to see if the
    username/password combination is valid.  If the combination is
    valid or if no password is required, the server will return a 281
    response. The client should then retry the original command to
    which the server responded with the 480 response. The command
    should then be processed by the server normally. If the
    combination is not valid, the server will return a 502 response.

Ok...  Background:  I'm starting a project to implement a specific
type of authentication in a news server.  All I need is the user name,
so I was looking up the protocols to see if the password was required
by the protocol, or if it can just accept the user name and not
require the user's agent to supply the password.  I was happy to see
the above, but didn't know what user agent's typically did, so I
headed for the source for gnus (of course) to find:

  (defun nntp-send-authinfo ()
    "Send the AUTHINFO to the nntp server.
  This function is supposed to be called from `nntp-server-opened-hook'.
  It will prompt for a password."
    (nntp-send-command "^.*\r?\n" "AUTHINFO USER" (user-login-name))
    (nntp-send-command
     "^.*\r?\n" "AUTHINFO PASS"
     (nnmail-read-passwd (format "NNTP (%s) password: " nntp-address))))

IE, it auto-sends the password even if a 381 is never received.  Now,
this is not a big deal of course, I just thought I'd mention it.
Technically there should be two functions, one for user and one for
password (ick).

The reason I don't want a password is that its sent in clear text,
which I'm trying to avoid so I have another method of associating an
IP address with a user name, and if they match, thats close enough
for government work.  In fact, if they do suply a password, I'm going
to have an auto-yeller installed :-)

-- 
"Ninjas aren't dangerous.  They're more afraid of you than you are of them."

Re: authentication in gnus technically not perfect

[Lars Magne Ingebrigtsen]

Wes Hardaker <wjhardaker@ucdavis.edu> writes:

> IE, it auto-sends the password even if a 381 is never received.  Now,
> this is not a big deal of course, I just thought I'd mention it.
> Technically there should be two functions, one for user and one for
> password (ick).

Yup.  I've now added this to the todo list.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: authentication in gnus technically not perfect

[Wes Hardaker]

>>>>> On 23 Nov 1997 07:16:59 +0100, Lars Magne Ingebrigtsen <larsi@gnus.org> said:

Wes> IE, it auto-sends the password even if a 381 is never received.  Now,
Wes> this is not a big deal of course, I just thought I'd mention it.
Wes> Technically there should be two functions, one for user and one for
Wes> password (ick).

Lars> Yup.  I've now added this to the todo list.

Well, I just thought I'd point it out.  It should a low priority, as
its hardly a crucial thing to implement.  It's better for security
reasons, but thats really the only reason to worry about it.

-- 
"Ninjas aren't dangerous.  They're more afraid of you than you are of them."

Re: authentication in gnus technically not perfect

[Wes Hardaker]

>>>>> On 24 Nov 1997 18:51:34 -0500, Stainless Steel Rat <ratinox@peorth.gweep.net> said:

Rat> But it is a bug: Gnus fails to work correctly.  That makes it
Rat> important, more important than implementing new features (of
Rat> which there are relatively few in Quassia at this point).

I'm not positive that its a bug.  I think that any news server will
most likely just ignore a given password if supplied and not asked (it
is supposed to even I think).

-- 
"Ninjas aren't dangerous.  They're more afraid of you than you are of them."

Re: authentication in gnus technically not perfect

[Wes Hardaker]

>>>>> On 24 Nov 1997 22:37:36 -0500, Stainless Steel Rat <ratinox@peorth.gweep.net> said:

Rat> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> "WH" == Wes Hardaker <wjhardaker@ucdavis.edu> writes:

Rat> For the other, by not sending a password in the clear when it is
Rat> not necessary, it is an instance of not sending a cleartext
Rat> password across the network.

Don't get me wrong, I agree :-)  I just don't classify it as a 'bug'
because it doesn't violate protocols nor does it cause problems (aside
from security).

-- 
"Ninjas aren't dangerous.  They're more afraid of you than you are of them."