AUTHINFO SIMPLE and PASS

Julien ÉLIE julien at trigofacile.com
Tue Aug 26 18:11:21 UTC 2008 

Hi Russ,

> Looks like we added AUTHINFO SIMPLE support when
> readers.conf landed and got it completely wrong.
>
> Well, that answers the question of whether anyone is using it.  INN didn't
> support AUTHINFO SIMPLE until 2.3, and never supported it as specified in
> RFC 2980.  I vote we just delete it.

All right.
I have just deleted the code but not committed yet.
In fact, I wonder what is the use of PERMpass.

~/work/inn/trunk% grep -r PERMpass *
nnrpd/commands.c:    strlcpy(PERMpass, fields[3], sizeof(PERMpass));
nnrpd/commands.c:        if (strcmp(User, PERMuser) == 0 && strcmp(Password, PERMpass) == 0) {
nnrpd/nnrpd.h:EXTERN char       PERMpass[SMBUF];

The first one is used for AUTHINFO GENERIC and the second one for AUTHINFO USER/PASS

        if (strcmp(User, PERMuser) == 0 && strcmp(Password, PERMpass) == 0) {
            syslog(L_NOTICE, "%s user %s", Client.host, PERMuser);
            if (LLOGenable) {
                fprintf(locallog, "%s user (%s):%s\n", Client.host, Username, PERMuser);
                fflush(locallog);
            }
            Reply("%d Ok\r\n", NNTP_OK_AUTHINFO);
            PERMneedauth = false;
            PERMauthorized = true;
            PERMcanauthenticate = false;
            return;
        }

        errorstr[0] = '\0';

        PERMlogin(User, Password, errorstr);
        PERMgetpermissions();
        /* Authentication is successful. */
        if (!PERMneedauth) {
            syslog(L_NOTICE, "%s user %s", Client.host, PERMuser);
            [The same piece of code with NNTP_OK_AUTHINFO.]



It looks as though the first condition never matches because there is no PERMpass...

I tried to see when it was used and I found out in old commands.c:

#ifdef DO_PYTHON
     if (innconf->nnrppythonauth) {
        [...]
        PERMspecified = NGgetlist(&PERMreadlist, accesslist);
        PERMpostlist = PERMreadlist;
        Reply("%d Ok\r\n", NNTP_AUTH_OK_VAL);
        /* save these values in case you need them later */
        strcpy(PERMuser, User);
        strcpy(PERMpass, Password);
        [...]



Did something go wrong?
According to current code, PERMpass can be removed everywhere.
Its value set in AUTHINFO GENERIC is not used...

Or maybe I am totally wrong and do not understand PERMpass?

(PERMused, on the contrary, seems to be widely used.)



>> Anyway, they should not use that direct authentication.  It is specified
>> nowhere with AUTHINFO PASS.  Note that innfeed does the job right:  it
>> sends AUTHINFO USER and AUTHINFO PASS.
>
> If you send just AUTHINFO PASS to INN right now, what does it do?  And
> does it normally just ignore the user?

innd takes it.  Note that incoming.conf only defines password: for authentication.

%telnet localhost 119
200 news.trigofacile.com InterNetNews server INN 2.5.0 (20080629 prerelease) ready
AUTHINFO PASS pass
281


It just ignores the user:

    /* Ignore "authinfo user" commands, since we only care about the
     * password. */
    if (strncasecmp(p, USER, strlen(USER)) == 0) {
        NCwritereply(cp, NNTP_AUTH_NEXT);
        return;
    }

where USER="user " -- with a space :)

-- 
Julien ÉLIE

« La femme a la passion du calcul : elle divise son âge par deux,
  double le prix de ses robes, triple les appointements de son mari
  et ajoute cinq ans à l'âge de sa meilleure amie. » (Marcel Achard)

More information about the inn-workers mailing list