I have a node in fsxNet running 21:1/167 and have credentials set up in BinkD for it.

When it polls BinkD is showing/logging the fidonet AKA for the incoming poll and not the Zone 21 AKA that has been configured at my end.

I don't have a Fidonet AKA setup in my BinkD for this node, yet my instance of BinkD seems to like/accept it?

Any ideas how I can ensure just the Zone 21 is accepted?

+ 18 Jun 00:00:50 [8243] incoming session with 69.30.232.251
- 18 Jun 00:00:50 [8243] SYS CyberBBS WHQ
- 18 Jun 00:00:50 [8243] ZYZ Chad Adams
- 18 Jun 00:00:50 [8243] LOC Hideaway, TX
- 18 Jun 00:00:50 [8243] NDL 115200,TCP,BINKP
- 18 Jun 00:00:50 [8243] TIME Sat, 17 Jun 2023 07:00:36 -0500
- 18 Jun 00:00:50 [8243] VER binkd/1.1a-115/Linux binkp/1.1
+ 18 Jun 00:00:50 [8243] addr: 1:19/40@fidonet
+ 18 Jun 00:00:50 [8243] addr: 21:1/167@fsxnet
+ 18 Jun 00:00:50 [8243] addr: 700:100/200@spooknet (n/a or busy)
+ 18 Jun 00:00:50 [8243] addr: 10:102/12@araknet (n/a or busy)
+ 18 Jun 00:00:50 [8243] addr: 618:200/33@micronet (n/a or busy)
- 18 Jun 00:00:50 [8243] OPT NDA EXTCMD CRYPT
+ 18 Jun 00:00:50 [8243] Remote supports asymmetric ND mode
+ 18 Jun 00:00:50 [8243] Remote supports EXTCMD mode
+ 18 Jun 00:00:50 [8243] Remote requests CRYPT mode
- 18 Jun 00:00:50 [8243] TRF 0 0
+ 18 Jun 00:00:50 [8243] Remote has 0b of mail and 0b of files for us
+ 18 Jun 00:00:50 [8243] pwd protected session (MD5)
- 18 Jun 00:00:50 [8243] session in CRYPT mode
+ 18 Jun 00:00:50 [8243] done (from 1:19/40@fidonet, OK, S/R: 0/0 (0/0 bytes))

Best, Paul

Kerr Avon [Blake's 7] 'I'm not expendable, I'm not stupid and I'm not going' avon[at]bbs.nz | bbs.nz | fsxnet.nz

--- Mystic BBS v1.12 A48 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

Re: why one aka vs another
By: Paul Hayton to All on Sun Jun 18 2023 10:31 am

When it polls BinkD is showing/logging the fidonet AKA for the incoming poll and not the Zone 21 AKA that has been configured at my end.

I don't have a Fidonet AKA setup in my BinkD for this node, yet my instance of BinkD seems to like/accept it?

Any ideas how I can ensure just the Zone 21 is accepted?

- 18 Jun 00:00:50 [8243] VER binkd/1.1a-115/Linux binkp/1.1
+ 18 Jun 00:00:50 [8243] addr: 1:19/40@fidonet
+ 18 Jun 00:00:50 [8243] addr: 21:1/167@fsxnet

Binkd authenticates against to the address that matches the password, but becasue they have their fido address listed first, I think it shows that as the session in the logs.

(IIRC binkd doesnt support MPWD - Multiple password mode, where it would authenticate each presented AKA)


...δεσ∩
--- SBBSecho 3.20-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (3:633/509)

On 18 Jun 2023 at 09:10a, deon pondered and said...

Binkd authenticates against to the address that matches the password, but becasue they have their fido address listed first, I think it shows that as the session in the logs.

You would think it would show in the logs as the system it matched with for password authentication vs the first AKA presented even if it wasn't the one that matched for password... yeah, seems a bit strange to my little brain :)

Kerr Avon [Blake's 7] 'I'm not expendable, I'm not stupid and I'm not going' avon[at]bbs.nz | bbs.nz | fsxnet.nz

--- Mystic BBS v1.12 A48 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

Paul wrote (2023-06-18):

I have a node in fsxNet running 21:1/167 and have credentials set up in BinkD for it.

When it polls BinkD is showing/logging the fidonet AKA for the incoming poll and not the Zone 21 AKA that has been configured at my end.

I don't have a Fidonet AKA setup in my BinkD for this node, yet my instance of BinkD seems to like/accept it?

Are you 100% sure that there is not anything about fidonet in you binkd.cfg (or the included config files)? If there is no fidonet AKA, you should get a "(n/a or busy)" for fidonet too. But maybe I'm missing something.

Any ideas how I can ensure just the Zone 21 is accepted?

You cannot. It's a flaw of the binkp protocol (inherited from EMSI). The moment you have a password protected session, the incoming connection can dump anything in your ("secure") inbound. That is the reason we have pkt (and tic) passwords.

You can configure some restrictions with the "skip" and "check-pkthdr" keyword, but I'm not sure, if check-pkthdr secure would prevent it.

---
* Origin: No REPLY kludge - no reply (2:280/464.47)

On 19 Jun 2023 at 09:53a, Oli pondered and said...

I don't have a Fidonet AKA setup in my BinkD for this node, yet my instance of BinkD seems to like/accept it?

Are you 100% sure that there is not anything about fidonet in you binkd.cfg (or the included config files)? If there is no fidonet AKA,
you should get a "(n/a or busy)" for fidonet too. But maybe I'm missing something.

i will double check and let you know.

Any ideas how I can ensure just the Zone 21 is accepted?

You cannot. It's a flaw of the binkp protocol (inherited from EMSI). The moment you have a password protected session, the incoming connection
can dump anything in your ("secure") inbound. That is the reason we have pkt (and tic) passwords.

You can configure some restrictions with the "skip" and "check-pkthdr" keyword, but I'm not sure, if check-pkthdr secure would prevent it.

OK thanks Oli.

Kerr Avon [Blake's 7] 'I'm not expendable, I'm not stupid and I'm not going' avon[at]bbs.nz | bbs.nz | fsxnet.nz

--- Mystic BBS v1.12 A48 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)