Authentication over SSL

Russ Allbery rra at stanford.edu
Mon Sep 8 16:18:21 UTC 2008


Julien ÉLIE <julien at trigofacile.com> writes:

> RFC 4643:
>
>   The AUTHINFO PASS command permits the client to use a clear-text
>   password to authenticate.  A compliant implementation MUST NOT
>   implement this command without also implementing support for TLS
>   [NNTP-TLS].  Use of this command without an active strong encryption
>   layer is deprecated, as it exposes the user's password to all parties
>   on the network between the client and the server.  Any implementation
>   of this command SHOULD be configurable to disable it whenever a
>   strong encryption layer (such as that provided by [NNTP-TLS]) is not
>   active, and this configuration SHOULD be the default.  The server
>   will use the 483 response code to indicate that the datastream is
>   insufficiently secure for the command being attempted (see Section
>   3.2.1 of [NNTP]).
>
> We already have require_ssl: in readers.conf for a SSL connection.
> I suggest the following changes:
>
> * the require_ssl: parameter should also match an encrypted connection
>   after STARTTLS, and not only an initial encrypted connection;

Yup, that sounds like a good fix.

> * add require_ssl_authinfo: for the use described before.

I'm not completely sure on why we'd need another parameter.  Couldn't you
achieve the same ends by setting all relevent authenticator blocks
require_ssl?

> Does the name of the new parameter sound right?
> Should we put its default value to *** TRUE ***?

We probably shouldn't comply with that SHOULD until more clients implement
SASL.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list