Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!wasatch!cs.utexas.edu!uunet!intercon!amanda@intercon.UUCP
From: amanda@intercon.UUCP (Amanda Walker)
Newsgroups: news.software.nntp
Subject: Re: Re: NNTP authentication
Message-ID: <03-May-89.133859@192.41.214.2>
Date: 3 May 89 17:31:06 GMT
References: <JV.89May2143345@mhres.mh.nl> <13084@paris.ics.uci.edu>
Sender: news@intercon.UUCP
Reply-To: amanda@intercon.UUCP (Amanda Walker)
Organization: InterCon Systems Corporation, Sterling, VA
Lines: 22

In article <JV.89May2143345@mhres.mh.nl>, jv@mh.nl (Johan Vromans) writes:
>Of course, this method depends on the co-operation of the client. Any
>user who can write his own nntp-access routines can bypass the
>user-based authorization (not the hostname-based authorization).
>Currently, if no "HELO" command is sent, default access for the host
>is allowed.

The users don't even have to write a program under most operating
systems; how about:

    telnet hostname 119
    200 ...
    HELO root

It does keep people from reading some groups accidentally with rrn,
I suppose, but that's about it.  I wouldn't consider it a security
measure by any means.

--
Amanda Walker
InterCon Systems Corporation
amanda@intercon.UUCP / intercon!amanda@uunet.uu.net