MSGID: 2:280/464.47 63e7d570
REPLY: 1:153/757.0 95606ad4
PID: JamNNTPd/Linux 1
CHRS: LATIN-1 2
TZUTC: 0100
TID: CrashMail II/Linux 1.7
Alan wrote (2023-02-11):

 >>> ? 11 Feb 00:00:36 [78274] Warning: remote set UNSECURE session
 >>> + 11 Feb 00:00:36 [78274] pwd protected session (MD5)

 >> This means your system is sending a session password, but the remote
 >> session has no password set for incoming connections and returns M_OK
 >> 'non-secure', which gets logged as "Warning: remote set UNSECURE
 >> session". (a wrong password should return an error)

 >> It is not a password protected or encrypted session, even if binkd
 >> tells you so. It is a security flaw of binkd though.

 AI> Is that a misconfiguration at the remote end, there is no (or an
 AI> incorrect) password set?

See http://ftsc.org/docs/fts-1026.001

  * M_OK "non-secure"
    report to remote about normal password unprotected
    session; usually used for empty password;

I think an incorrect password should return an M_ERR and close the connection.

But it depends on the server. A man in the middle, a compromised server or a
weird implementation could just ignore the password and send back M_OK
"secure".

 AI> Binkd should not log "pwd protected session (MD5)" in that case.

I always use the -md option (require CRAM-MD5) for the node and check for
CRYPT in the perl hook script. A CRYPT session works only if both parties use
the same password.

---
 * Origin: War is Peace. Freedom is Slavery. Ignorance is Strength.
(2:280/464.47)
SEEN-BY: 1/123 15/0 90/1 103/705 105/81 106/201 114/709 120/340 123/131
SEEN-BY: 124/5016 129/305 153/757 7715 154/10 203/0 218/700 221/0
SEEN-BY: 221/1 226/30 227/114 229/110 111 112 113 114 200 206 307
SEEN-BY: 229/317 424 426 428 470 550 664 700 240/1120 5832 266/512
SEEN-BY: 280/464 5003 5555 282/1038 292/789 854 8125 301/1 310/31
SEEN-BY: 317/3 320/219 322/757 335/364 341/66 234 342/200 396/45 410/9
SEEN-BY: 423/120 460/58 633/280 712/848 770/1
PATH: 280/464 292/854 229/426