[Serdev] auth_radius module problems in pre39

[Jan Janak]

Yes, comments inline.

On 12-07 00:00, Maxim Sobolev wrote:
> Any progress on this?
> 
> -Maxim
> 
> Jan Janak wrote:
> 
> >Maxim,
> >
> >I'll comment it on Thursday, I am terribly busy now.
> >
> >
> >  Jan.
> >
> >On 08-07 22:58, Maxim Sobolev wrote:
> >
> >>Folks,
> >>
> >>Following is the list of problems we encountered in the auth_radius 
> >>module found in the 0.8.11pre39 snapshot:
> >>
> >>1. Nonce validation apparently doesn't work. I've verified that the 
> >>nonce in client's authenticated request is the same as one send by ser 
> >>in the Unauthorized reply, but check_nonce() fails, I am getting 
> >>"Invalid nonce value received, very suspicious" in the log and the auth 
> >>fails. I've commented check_nonce() call and it now works like a charm.

  There were some problems with nonce validation some time ago but it
  has been fixed already. What is the architecture and operating system
  ? I'd like to debug it but I need more information.

> >>2. For some unclear reason, auth module now compares hostname in the 
> >>request URI with realm provided in the appropriate auth header and 
> >>rejects auth if they do not match. This basically makes realm argument 
> >>in *_challenge() and *_authorize() functions totally useless as user 
> >>will be unable to select anything but SER's IP or SER's hostname there. 
> >>IMO this restriction have to be removed or at least conditionalised on 
> >>some config variable.

  Do you mean that To or From domain name is compared to realm ? This
  comparison was introduced by Juha for multi-domain support. A request
  must have To or From (depending on request type) domain same as the
  digest realm value. The reason for this check is that a proxy can
  handle multiple domain concurrently, in that case it is good to check
  the domain and realm, otherwise users might use their credentials for
  realm A to get access to realm B even if they have no credentials for
  realm B.

   Jan.