[tin-users] HELP! Auth bug in tin 2.4 ?

Urs Janßen urs at tin.org
Thu Sep 22 00:25:13 CEST 2016 

On Wed, Sep 21, 2016 at 05:45:03PM +0100, Alec Muffett wrote:
> The message "nntp_open() authenticate()" corresponds with auth.c line 1432
> 
> ...and if I read it right it has decided to authenticate on the basis of:
> 
>  if (force_auth_on_conn_open ||
>  (nntp_caps.type == CAPABILITIES &&
>    !nntp_caps.reader &&
>    (nntp_caps.authinfo_user || (nntp_caps.authinfo_sasl & SASL_PLAIN))))
> 
> Adding some extra debug statements shows that this expression evaluates to
> True because all of:
> 
> * nntp_caps.type == CAPABILITIES
> * !nntp_caps.reader
> * nntp_caps.authinfo_user
> 
> ...are true (and the other expressions are false) but I don't follow why
> this tuple of booleans should require Tin to authenticate?

in transit mode tin does expect AUTHINFO to have an agrument listed in
the CAPABILITIES response (as in RFC 4643 2.1):

| The server MAY list the AUTHINFO capability with no arguments, which
| indicates that it complies with this specification and does not
| permit any authentication commands in its current state.  In this
| case, the client MUST NOT attempt to utilize any AUTHINFO commands,
| even if it contains logic that might otherwise cause it to do so

the nntp dialog then looks like

>>> [21:34:09.288267] CAPABILITIES
<<< [21:34:09.289039] 101 Capability list:
<<< [21:34:09.328976] VERSION 2
<<< [21:34:09.329151] IMPLEMENTATION INN 2.6.0
<<< [21:34:09.329291] AUTHINFO
<<< [21:34:09.329399] IHAVE
<<< [21:34:09.329516] LIST ACTIVE ACTIVE.TIMES MOTD NEWSGROUPS
<<< [21:34:09.329638] MODE-READER
<<< [21:34:09.329751] STREAMING
>>> [21:34:09.329965] MODE READER
<<< [21:34:09.376830] 200 ok
>>> [21:34:09.377109] CAPABILITIES
[...]

the logic should probabely be more like [nntplib.c:nntp_open() ~1432]:

if (nntp_caps.type == CAPABILITIES && !nntp_caps.reader) {
	if (nntp_caps.mode_reader) {
		char buf[NNTP_STRLEN];

		put_server("MODE READER");
		switch (get_only_respcode(buf, sizeof(buf))) {
			case ERR_GOODBYE:
			case ERR_ACCESS:
				return -1;

			default:
				break;
		}
		check_extensions();
	}
	if (force_auth_on_conn_open) {
		if (!authenticate(nntp_server, userid, FALSE))
			return -1;
		check_extensions();
	}
/* ... */

could you try the attached patch?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nntplib.c.diff
Type: text/x-diff
Size: 1712 bytes
Desc: not available
URL: <http://lists.tin.org/pipermail/tin-users/attachments/20160922/4bcfe298/attachment.diff>

More information about the tin-users mailing list