| |
In lugnet.admin.suggestions, Troy Cefaratti writes:
> [...]
> I personally download a lot from various news servers. They all require me
> to enter password to read and post messages, except for Lugnet. Why can't
> Lugnet just require passwords for the news server like it requires passwords
> for the web interface? This would verify the user without any additional
> steps such as verification.
Troy, I could be wrong but my understanding of the way NNTP authentication &
authorization works is that it's session-based rather than message-based or
function-based.
That is, I think when you require a username and password at login, when you
initiate the NNTP connection, it's an all-or-nothing thing.
Now, this could probably fall back to read-only access if you didn't provide
a username and password, but a successful login doesn't prevent someone from
forging posts in other peoples' names.
In other words, the username/password combination in the NNTP protocol
_authorizes_ but doesn't _authenticate_ for practical purposes.
However, I think there is still a glimmer of hope: it should be possible in
theory to modify the NNTP server such that it inserts your login id into the
incoming message stream somehow when it receives a post. This would have to
happen at the low, protocol level. Alternatively, other methods involving
kluges might make it work too -- as long as your login id is remembered
after login and somehow associated with the content of the article you post,
then for practical purposes it has authenticated your post.
I *think* this could be made to work somehow with some hacking.
I'd like to revisit this in a month or two, after the member/user
unification, which in my mind is a prerequisite for this happening in any
sane way codewise.
--Todd
[xfut => lugnet.admin.nntp]
|
|
Message is in Reply To:
53 Messages in This Thread:
  
 
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
