Subj : Mironet
To   : Alan Ianson
From : Oli
Date : Sat Feb 11 2023 06:50 pm

Alan wrote (2023-02-11):

>>> ? 11 Feb 00:00:36 [78274] Warning: remote set UNSECURE session
>>> + 11 Feb 00:00:36 [78274] pwd protected session (MD5)

>> This means your system is sending a session password, but the remote
>> session has no password set for incoming connections and returns M_OK
>> 'non-secure', which gets logged as "Warning: remote set UNSECURE
>> session". (a wrong password should return an error)

>> It is not a password protected or encrypted session, even if binkd
>> tells you so. It is a security flaw of binkd though.

AI> Is that a misconfiguration at the remote end, there is no (or an
AI> incorrect) password set?

See http://ftsc.org/docs/fts-1026.001

 * M_OK "non-secure"
   report to remote about normal password unprotected
   session; usually used for empty password;

I think an incorrect password should return an M_ERR and close the connection.

But it depends on the server. A man in the middle, a compromised server or a weird implementation could just ignore the password and send back M_OK "secure".

AI> Binkd should not log "pwd protected session (MD5)" in that case.

I always use the -md option (require CRAM-MD5) for the node and check for CRYPT in the perl hook script. A CRYPT session works only if both parties use the same password.

---
* Origin: War is Peace. Freedom is Slavery. Ignorance is Strength. (2:280/464.47)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.