Document: FSC-0055
Version:  001
Revision: 31-Mar-1991




            Security Passwords in Nodelist Update Files

                            Luke Kolin,
              1:250/[email protected], 89:480/210@imex

                         March 31st, 1991


   Status of this document:

        This FSC suggests a proposed protocol for the FidoNet(r)
        community,  and requests discussion and suggestions for
        improvements.  Distribution of this document is subject
        to the restrictions listed below.

        Fido and FidoNet are registered marks of Tom Jennings
        and Fido Software.

        The author grants the FTSC unlimited  distribution and
        reproduction rights  in order to facilitate discussion
        of the proposals in this document.

        MakeNL is a program by Ben Baker.

        SysNL is a program by Luke Kolin.



 PURPOSE

       This document is intended to explain the format and purpose of
 security passwords within nodelist update files, and to inform the
 authors of nodelist software about its proper usage.


 THE NEED FOR PASSWORDS

       Until now, the nodelist update files that *Cs create with software
 packages such as MakeNL or SysNL have had no security passwords inside
 of them. The only security between the NC and an RC has been the name
 of the update file itself. For example, the name of the Net 250 update
 file was "Metronet.250". It was quite conceivable for a sysop, upon
 discovering this name, to make a fraudulent update file, also called
 "MetroNet.250", and send this to 1:12/0. The nodelist processor which
 created the regional update file at that end would not know that the
 file was not genuine, and this would be added to the weekly update for
 the region.


 PASSWORD FORMAT

       It seems emminently logical that some sort of security password
 should be added to nodelist update files, to prevent the aforementioned
 problems from occurring. Therefore, I propose that nodelist update files
 have an optional password in the first (header) line, right after the
 ";A" general interest flag. The first character of this case-sensitive
 password shall be an "at" sign @ (ASCII decimal 64 hex 40). If this
 character is present, then all characters after it, until (but not
 including) the next space (ASCII decimal 32 hex 20) will be considered
 part of the password. As well, no password may be 8 characters or more
 in length. This is a sample header line, with a password of ConSoft
 present:

 ;A @ConSoft Net 250 nodelist file for Friday, February 22nd : 10344

       Please note the password starts right after the first space (ASCII
 32) with the ASCII 64 decimal character, and is case-sensitive. The
 following is a sample header, without a password present:

 ;A Net 250 nodelist file for Friday, March 1st : 13501


 NOTES

       It is extremely important that the password be on the first line
 of the nodelist update file. It must commence immediately after the first
 space (ASCII 32) character, with an ASCII 64 "at" sign. Remember, it is
 case-sensitive.

       I believe that it is up to the authors of individual nodelist
 utilities to deal with the presence of passworded update files as they
 believe fit. However, it is my belief that utilities, when faced with
 a file with a bad password, retain a copy of a previous (good) update
 file, which should be used instead of the bad one, to prevent the equally
 nasty problem of a bad update file preventing an entire network/region
 from being included.

       Please note that I do not participate in either the FTSC or NET_DEV
 conferences. I can be reached at 1:250/[email protected], or in Imex at
 89:480/210@imex.

You are viewing proxied material from gopher.altexxanet.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.