On Thu, 07 Nov 1996 13:22:49 +0300 Lawrence Beobachter
<larry @
spmu .
runnet .
ru> wrote:
> I tried tcpdump on FreeBSD and it turned out that login information
> during telnet sessions as well as USER and PASS info sent by pop-client
> are both xmitted in plain text <shudder>.
> Is there any solution besides S/Key (please, include pointers) to
> block this don't-know-how-to-call-it hole.
RFC1734 defines an AUTHenticate command for POP3. In a nutshell it's a
cut-and-paste of the AUTH command from IMAP4. You can use this
mechanism to get Kerberos authentication.
POP3 also defines the APOP command, allowing for a shared-secret style
of authentication. The problem with APOP is that it requires a seperate
server database to hold the authentication data. This is a bit of a
maintenance headache, and duplicates functionality better provided by
something like Kerberos.
MIT also cooked up the KPOP command -- an unofficial
extension that allows Kerberos authentication to be used.
I don't use POP3 clients so I can't say which of them implements any or
all of the above. (RFC1957 indicates that APOP is supported in
Qualcomm's POP server, Eudora (lite and pro), and by GNU Emacs VM. I
also seem to recall that MH has support for one or both of APOP/KPOP.)
On the server side, the only code I'm aware of that support all three
of these authentication schemes is the POP3 proxy in the CMU Cyrus
IMAP4 server.
--lyndon
References:
|
|
