[Twisted-Python] NNTP/SMTP authentication

Abe Fettig abe at fettig.net
Wed Apr 30 13:14:59 MDT 2003


On Wed, 2003-04-30 at 14:34, Jp Calderone wrote:

> On Wed, Apr 30, 2003 at 01:27:53PM -0400, Abe Fettig wrote:
> > Hi folks,
> > 
> > In order to really get NNTP and SMTP (securely) integrated with Hep I
> > need to get authentication working.  Both of these protocols support
> > authentication, although it's not required by the core RFCs.  But as far
> > as I can tell neither of the modules in twisted/protocols supports
> > authentication at the moment.
> > 
> 
>   If you don't get to it first, I may end up doing SMTP authentication
> sometime in the near future (as I have need for it as well).  I hadn't given
> much thought to NNTP.

I'll make a deal with you - if you do SMTP authentication (demonstrating
the 'right way to do it'), I'll write a similar patch for NNTP :-)

>   I think POP3 should be updated to use cred in a manner similar to that
> which IMAP4 uses it.  Since I wrote IMAP4, obviously I think that is the
> right way to do authentication ;) (modulo one thing - the actual
> challenge/response verification should be factored out and away from the
> Identity class - I believe itamar and glyph have discussed this and have
> some ideas for the implementation).
> 
>   Whether the *actual* details of how IMAP4 is using cred are proper are
> not, I don't know ;) The code works, but it seems that there are too many
> different objects involved in the process (CramMD5Identity,
> CramMD5ServerAuthenticator, CramMD5ClientAuthenticator - and that's just for
> *one* kind of authentication scheme).  Setup is similarly tedious, requiring
> 4 lines of "boilerplate" to set things up, and then *10* lines to add each
> new identity.  Now that imap4.py is settling down, it'd be great if someone
> with more experience with cred could take a look at it and give me some
> feedback.
> 
>   Maybe there will be a coil for cred someday so you can keep this part of
> the code out of your actual app, though.  If so, this is one of the real
> strengths of cred.  Your app doesn't have to do anything to manage user
> accounts, you just attach the cred coil and you're done.

That would be nice.  It seems like there's also the potential to share
the code for different methods of authentication between
POP3/SMTP/IMAP/NNTP - I think they all can use CRAM-MD5, for example,
and it seems silly to duplicate the code in each protocol.

Abe





More information about the Twisted-Python mailing list