AUTHINFO SSL Patch
James F. Hranicky
jfh at cise.ufl.edu
Fri Apr 20 18:20:59 UTC 2001
jmv16 at cornell.edu wrote:
> On Fri, 20 Apr 2001, James F. Hranicky wrote:
>
> > I don't care if the remote users use SSL *unless* then try to send
> > me their username and password. That's the functionality my patch
> > gives.
>
> That functionality is in my patch. You have two auth groups for the
> remote IPs, one with require-ssl and one without, and allow password
> authentication only on the first group.
Ah, ok.
> The trouble is that there's nothing in the protocol for telling the
> client not to try authenticating. So you can stop the clients from
> getting anywhere by authenticating on a non-SSL connection, but you can't
> stop them from sending their passwords if they really want to.
I suppose the best we can do is make sure it fails when they try...
----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------
- Encryption: its use by criminals is far less -
- frightening than its banishment by governments -
- Vote for Privacy -
More information about the inn-workers
mailing list