Re: Port 113 requests?

[Ryan Russell <ryan () securityfocus com>]

On Fri, 7 Dec 2001 Valdis.Kletnieks () vt edu wrote:

> No, No, No!
>
> Port 113 AUTH is *not* an authentication protocol.
<snip>
> It was a string that *later*, if there was a problem, you would give
> back to me, the sysadmin of the *source* machine, and from that,
> I would hopefully have an idea which of my users I needed to beat
> the snot out of.

So... it's a protocol that gives me a piece of information that is meant
to be mapped to a username?  Well, that's kinda the definition of
"authentication protocol" that I was think of.

Is it your assertion that it's not an authentication protocol because the
information isn't immediately usable?  I understand that there are options
to provide some sort of hash instead of the direct info, but I've never
seen it used.

Here's what I pulled off the wire when I connected to an IRC server:
ADDR  HEX                                               ASCII
0000: 00 10 67 00 97 63 00 c0 f0 57 71 e1 08 00 45 00 | ..g..c..Wq...E.
0010: 00 4b 49 fa 40 00 80 06 52 fb 40 a7 8b 3a c6 ba | .KI.@...R@..:..
0020: cb 1b 00 71 08 2e 0a 20 e5 1c 6d 4e be 73 50 18 | ...q... ..mN.sP.
0030: 22 2b d8 0c 00 00 33 37 33 37 2c 20 36 36 36 37 | "+....3737, 6667
0040: 20 3a 20 55 53 45 52 49 44 20 3a 20 55 4e 49 58 |  :USERID : UNIX
0050: 20 3a 20 72 79 61 6e 0d 0a                      | : ryan..

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com