Document: FSC-0055
Version: 001
Revision: 31-Mar-1991
Security Passwords in Nodelist Update Files
Luke Kolin,
1:250/
[email protected], 89:480/210@imex
March 31st, 1991
Status of this document:
This FSC suggests a proposed protocol for the FidoNet(r)
community, and requests discussion and suggestions for
improvements. Distribution of this document is subject
to the restrictions listed below.
Fido and FidoNet are registered marks of Tom Jennings
and Fido Software.
The author grants the FTSC unlimited distribution and
reproduction rights in order to facilitate discussion
of the proposals in this document.
MakeNL is a program by Ben Baker.
SysNL is a program by Luke Kolin.
PURPOSE
This document is intended to explain the format and purpose of
security passwords within nodelist update files, and to inform the
authors of nodelist software about its proper usage.
THE NEED FOR PASSWORDS
Until now, the nodelist update files that *Cs create with software
packages such as MakeNL or SysNL have had no security passwords inside
of them. The only security between the NC and an RC has been the name
of the update file itself. For example, the name of the Net 250 update
file was "Metronet.250". It was quite conceivable for a sysop, upon
discovering this name, to make a fraudulent update file, also called
"MetroNet.250", and send this to 1:12/0. The nodelist processor which
created the regional update file at that end would not know that the
file was not genuine, and this would be added to the weekly update for
the region.
PASSWORD FORMAT
It seems emminently logical that some sort of security password
should be added to nodelist update files, to prevent the aforementioned
problems from occurring. Therefore, I propose that nodelist update files
have an optional password in the first (header) line, right after the
";A" general interest flag. The first character of this case-sensitive
password shall be an "at" sign @ (ASCII decimal 64 hex 40). If this
character is present, then all characters after it, until (but not
including) the next space (ASCII decimal 32 hex 20) will be considered
part of the password. As well, no password may be 8 characters or more
in length. This is a sample header line, with a password of ConSoft
present:
;A @ConSoft Net 250 nodelist file for Friday, February 22nd : 10344
Please note the password starts right after the first space (ASCII
32) with the ASCII 64 decimal character, and is case-sensitive. The
following is a sample header, without a password present:
;A Net 250 nodelist file for Friday, March 1st : 13501
NOTES
It is extremely important that the password be on the first line
of the nodelist update file. It must commence immediately after the first
space (ASCII 32) character, with an ASCII 64 "at" sign. Remember, it is
case-sensitive.
I believe that it is up to the authors of individual nodelist
utilities to deal with the presence of passworded update files as they
believe fit. However, it is my belief that utilities, when faced with
a file with a bad password, retain a copy of a previous (good) update
file, which should be used instead of the bad one, to prevent the equally
nasty problem of a bad update file preventing an entire network/region
from being included.
Please note that I do not participate in either the FTSC or NET_DEV
conferences. I can be reached at 1:250/
[email protected], or in Imex at
89:480/210@imex.