FidoNet Echomail Archive

<<< Previous Index Next >>>

From: Digital Man
To: mark lewis
Date: 2019-06-13 22:34:52
Subject: possible CRYPT bug with no session password

  Re: possible CRYPT bug with no session password
  By: mark lewis to all on Thu Jun 13 2019 09:44 pm

 > i think we've stumbled upon a bug when interacting with binkd and no session
 > level password...
 > i have a connection with a node that sends this when my binkd connects out
 > to them...
 > OPT CRAM-MD5-411eaac235d14fa531bd059150ddac9e CRYPT
 > [...]
 > VER BinkIT/2.17,JSBinkP/1.114,sbbs3.17c/Linux binkp/1.1
 > my binkd reports this...
 > rerror: Password mismatch
 > when they connect inbound, they are sending this...
 > [...]
 > VER BinkIT/2.17,JSBinkP/1.114,sbbs3.17c/Linux binkp/1.1

That means the remote BinkIT system has a session password configured for
your node. From binkp.js 1.114 ('-' is the same as a blank/no password):

       if (!this.plain_auth_only && password !== '-')
               this.sendCmd(this.command.M_NUL, "OPT CRYPT");

 > my binkd reports this...
 > unexpected password digest from the remote
 > there is only a tic password set in echocfg... no other passwords are set
 > between the two systems...

How do you know? according to the information you provided, it certainly
seems the remote system has a session password configured.

 > i tried setting -nomd on their node line but since they are requesting
 > CRYPT, we cannot talk... binkd does not have, that i can find, an option to
 > turn off CRYPT per node...

Setting a blank password in BinkIT will stop the CRYPT option for outbound
connections. The only way to disable it for inbound connections is the new
global plain-text-only option.

 > i'm aware that binkit.js is v2.25 and binkp.js
 > v1.118 and there has been some recent work done in this area of the code...

All about disabling CRAM-MD5 and encryption because my uplink was having
issues that couldn't be easily debugged when those features were used.

 > with the above versions, i'm thinking that we're missing something since we
 > seem to be setting CRYPT even when there is no session level password
 > defined...

I don't think so.

 > i don't know if having that node update to the latest binkp.js
 > and/or binkit.js will fix this particular problem with requesting CRYPT when
 > there is no session level password set, though...

Shouldn't make any difference in that regard (for outbound connections from BinkIT).

                                            digital man

Synchronet "Real Fact" #8:
Synchronet was originally intended as a replacement for WWIV BBS software.
Norco, CA WX: 59.8F, 88.0% humidity, 5 mph E wind, 0.00 inches rain/24hrs
--- SBBSecho 3.07-Linux
 * Origin: Vertrauen - [vert/cvs/bbs] (1:103/705)
SEEN-BY: 103/705 154/10 203/0 218/700 221/0 229/426 240/5832 261/38 280/464
SEEN-BY: 280/5003 396/45 423/120 633/0 267 280 281 384 412 509 712/848 770/1
@PATH: 103/705 280/464 712/848 633/280 267

<<< Previous Index Next >>>