[Twisted-Python] NNTP/SMTP authentication
Hi folks, In order to really get NNTP and SMTP (securely) integrated with Hep I need to get authentication working. Both of these protocols support authentication, although it's not required by the core RFCs. But as far as I can tell neither of the modules in twisted/protocols supports authentication at the moment. Is anyone working on this already? If not, I'd like to do it myself, and I'd appreciate some help in understanding the 'right' way to implement authentication in Twisted. I've been looking at J.P.'s IMAP4 work in CVS, and I can see he's using identities and perspectives (although I don't have a complete understanding of how these work). Is the use of twisted.cred preferred? Other drivers, such as POP3, don't seem to use it... Thanks, Abe
On Wed, Apr 30, 2003 at 01:27:53PM -0400, Abe Fettig wrote:
Hi folks,
In order to really get NNTP and SMTP (securely) integrated with Hep I need to get authentication working. Both of these protocols support authentication, although it's not required by the core RFCs. But as far as I can tell neither of the modules in twisted/protocols supports authentication at the moment.
If you don't get to it first, I may end up doing SMTP authentication sometime in the near future (as I have need for it as well). I hadn't given much thought to NNTP.
Is anyone working on this already? If not, I'd like to do it myself, and I'd appreciate some help in understanding the 'right' way to implement authentication in Twisted. I've been looking at J.P.'s IMAP4 work in CVS, and I can see he's using identities and perspectives (although I don't have a complete understanding of how these work). Is the use of twisted.cred preferred? Other drivers, such as POP3, don't seem to use it...
I think POP3 should be updated to use cred in a manner similar to that which IMAP4 uses it. Since I wrote IMAP4, obviously I think that is the right way to do authentication ;) (modulo one thing - the actual challenge/response verification should be factored out and away from the Identity class - I believe itamar and glyph have discussed this and have some ideas for the implementation). Whether the *actual* details of how IMAP4 is using cred are proper are not, I don't know ;) The code works, but it seems that there are too many different objects involved in the process (CramMD5Identity, CramMD5ServerAuthenticator, CramMD5ClientAuthenticator - and that's just for *one* kind of authentication scheme). Setup is similarly tedious, requiring 4 lines of "boilerplate" to set things up, and then *10* lines to add each new identity. Now that imap4.py is settling down, it'd be great if someone with more experience with cred could take a look at it and give me some feedback. Maybe there will be a coil for cred someday so you can keep this part of the code out of your actual app, though. If so, this is one of the real strengths of cred. Your app doesn't have to do anything to manage user accounts, you just attach the cred coil and you're done. Hope this helps, Jp -- A disciple of another sect once came to Drescher as he was eating his morning meal. "I would like to give you this personality test," said the outsider, "because I want you to be happy." Drescher took the paper that was offered him and put it into the toaster: "I wish the toaster to be happy, too." -- up 41 days, 15:04, 4 users, load average: 0.00, 0.00, 0.00
On Wed, 2003-04-30 at 14:34, Jp Calderone wrote:
On Wed, Apr 30, 2003 at 01:27:53PM -0400, Abe Fettig wrote:
Hi folks,
In order to really get NNTP and SMTP (securely) integrated with Hep I need to get authentication working. Both of these protocols support authentication, although it's not required by the core RFCs. But as far as I can tell neither of the modules in twisted/protocols supports authentication at the moment.
If you don't get to it first, I may end up doing SMTP authentication sometime in the near future (as I have need for it as well). I hadn't given much thought to NNTP.
I'll make a deal with you - if you do SMTP authentication (demonstrating the 'right way to do it'), I'll write a similar patch for NNTP :-)
I think POP3 should be updated to use cred in a manner similar to that which IMAP4 uses it. Since I wrote IMAP4, obviously I think that is the right way to do authentication ;) (modulo one thing - the actual challenge/response verification should be factored out and away from the Identity class - I believe itamar and glyph have discussed this and have some ideas for the implementation).
Whether the *actual* details of how IMAP4 is using cred are proper are not, I don't know ;) The code works, but it seems that there are too many different objects involved in the process (CramMD5Identity, CramMD5ServerAuthenticator, CramMD5ClientAuthenticator - and that's just for *one* kind of authentication scheme). Setup is similarly tedious, requiring 4 lines of "boilerplate" to set things up, and then *10* lines to add each new identity. Now that imap4.py is settling down, it'd be great if someone with more experience with cred could take a look at it and give me some feedback.
Maybe there will be a coil for cred someday so you can keep this part of the code out of your actual app, though. If so, this is one of the real strengths of cred. Your app doesn't have to do anything to manage user accounts, you just attach the cred coil and you're done.
That would be nice. It seems like there's also the potential to share the code for different methods of authentication between POP3/SMTP/IMAP/NNTP - I think they all can use CRAM-MD5, for example, and it seems silly to duplicate the code in each protocol. Abe
On Wed, 30 Apr 2003 14:34:41 -0400 Jp Calderone <exarkun@intarweb.us> wrote:
Whether the *actual* details of how IMAP4 is using cred are proper are not, I don't know ;) The code works, but it seems that there are too many different objects involved in the process (CramMD5Identity, CramMD5ServerAuthenticator, CramMD5ClientAuthenticator - and that's just for*one* kind of authentication scheme). Setup is similarly tedious, requiring 4 lines of "boilerplate" to set things up, and then *10* lines to add each new identity. Now that imap4.py is settling down, it'd be great if someone with more experience with cred could take a look at it and give me some feedback.
This is why cred is going to be refactored. With a chainsaw. On fire. End result should be that you have to do a *lot* less work in your protocol. -- Itamar Shtull-Trauring http://itamarst.org/ http://www.zoteca.com -- Python & Twisted consulting
On Wed, 2003-04-30 at 15:25, Itamar Shtull-Trauring wrote:
On Wed, 30 Apr 2003 14:34:41 -0400 Jp Calderone <exarkun@intarweb.us> wrote:
Whether the *actual* details of how IMAP4 is using cred are proper are not, I don't know ;) The code works, but it seems that there are too many different objects involved in the process (CramMD5Identity, CramMD5ServerAuthenticator, CramMD5ClientAuthenticator - and that's just for*one* kind of authentication scheme). Setup is similarly tedious, requiring 4 lines of "boilerplate" to set things up, and then *10* lines to add each new identity. Now that imap4.py is settling down, it'd be great if someone with more experience with cred could take a look at it and give me some feedback.
This is why cred is going to be refactored. With a chainsaw. On fire. End result should be that you have to do a *lot* less work in your protocol.
That sounds really great. In the meantime, should Jp and/or I go ahead with a simple implementation of NNTP/SMTP authentication? I'm going to need it within the next month or so. Thanks for all your work! Abe
participants (3)
-
Abe Fettig
-
Itamar Shtull-Trauring
-
Jp Calderone