Hello mark!

13 Jun 2012 15:03, mark lewis wrote to Benny Pedersen:

 ml> the OP is talking about the password submitted during the nntp 
 ml> authentication process...

surre, i just showed how to not send plain passwords without any changes needed
in jamnntpd

 ml> not the one that is sent to the admin from 
 ml> the user for signup...

?

 ml> what you describe would simple be using the md5 of the password as the 
 ml> password... not the same thing... something has to encode and decode 
 ml> the md5... that something would be the user's nntp client and the nntp 
 ml> server...

this is just how openssl works where user provide plain passwords in tls
session, by tls its not possible to see the md5 password or plain password :=)

what will happend if man in the middle knows the md5 password and send it as
raw ?, he will get access if jamnntpd did not use openssl

hope patchers is awake :)


 Regards Benny

... there can only be one way of life, and it works :)

--- Msged/LNX 6.2.0 (Linux/3.1.10-gentoo-r1 (i686))