Subj : Mironet
To   : Alan Ianson
From : Oli
Date : Sat Feb 11 2023 06:50 pm

Alan wrote (2023-02-11):

 >>> ? 11 Feb 00:00:36 [78274] Warning: remote set UNSECURE session
 >>> + 11 Feb 00:00:36 [78274] pwd protected session (MD5)

 >> This means your system is sending a session password, but the remote
 >> session has no password set for incoming connections and returns M_OK
 >> 'non-secure', which gets logged as "Warning: remote set UNSECURE
 >> session". (a wrong password should return an error)

 >> It is not a password protected or encrypted session, even if binkd
 >> tells you so. It is a security flaw of binkd though.

 AI> Is that a misconfiguration at the remote end, there is no (or an
 AI> incorrect) password set?

See http://ftsc.org/docs/fts-1026.001

  * M_OK "non-secure"
    report to remote about normal password unprotected
    session; usually used for empty password;

I think an incorrect password should return an M_ERR and close the connection.

But it depends on the server. A man in the middle, a compromised server or a weird implementation could just ignore the password and send back M_OK "secure".

 AI> Binkd should not log "pwd protected session (MD5)" in that case.

I always use the -md option (require CRAM-MD5) for the node and check for CRYPT in the perl hook script. A CRYPT session works only if both parties use the same password.

---
 * Origin: War is Peace. Freedom is Slavery. Ignorance is Strength. (2:280/464.47)

.