On Wednesday 07 September 2005 08:48, mcbridematt wrote: [...] > AUTHINFO PASS (pass)
I'd just like to point out that if that password is sent in plain text, then NNTP authentication should only be supported via an encrypted channel, and lengths need to be taken to prevent the client from attempting to authenticate if it's not. I don't know enough about the protocol to know if it's possible to do this legally --- does returning an error code at the AUTHINFO USER stage prevent the client from continuing the authentication? Otherwise, it may be necessary to abruptly break the connection, which is horribly ugly but I don't see an alternative. (It's not even particularly reliable if the client's pipelining commands...)
