[Serdev] auth_radius module problems in pre39
Maxim Sobolev
sobomax at portaone.com
Fri Jul 11 22:18:13 UTC 2003
Jan Janak wrote:
> Yes, comments inline.
>
> On 12-07 00:00, Maxim Sobolev wrote:
>
>>Any progress on this?
>>
>>-Maxim
>>
>>Jan Janak wrote:
>>
>>
>>>Maxim,
>>>
>>>I'll comment it on Thursday, I am terribly busy now.
>>>
>>>
>>> Jan.
>>>
>>>On 08-07 22:58, Maxim Sobolev wrote:
>>>
>>>
>>>>Folks,
>>>>
>>>>Following is the list of problems we encountered in the auth_radius
>>>>module found in the 0.8.11pre39 snapshot:
>>>>
>>>>1. Nonce validation apparently doesn't work. I've verified that the
>>>>nonce in client's authenticated request is the same as one send by ser
>>>>in the Unauthorized reply, but check_nonce() fails, I am getting
>>>>"Invalid nonce value received, very suspicious" in the log and the auth
>>>>fails. I've commented check_nonce() call and it now works like a charm.
>
>
> There were some problems with nonce validation some time ago but it
> has been fixed already. What is the architecture and operating system
> ? I'd like to debug it but I need more information.
Operating system is FreeBSD 4.8. Please let me know what else do you
need for debugging.
>>>>2. For some unclear reason, auth module now compares hostname in the
>>>>request URI with realm provided in the appropriate auth header and
>>>>rejects auth if they do not match. This basically makes realm argument
>>>>in *_challenge() and *_authorize() functions totally useless as user
>>>>will be unable to select anything but SER's IP or SER's hostname there.
>>>>IMO this restriction have to be removed or at least conditionalised on
>>>>some config variable.
>
>
> Do you mean that To or From domain name is compared to realm ? This
> comparison was introduced by Juha for multi-domain support. A request
> must have To or From (depending on request type) domain same as the
> digest realm value. The reason for this check is that a proxy can
> handle multiple domain concurrently, in that case it is good to check
> the domain and realm, otherwise users might use their credentials for
> realm A to get access to realm B even if they have no credentials for
> realm B.
I see your point, but for single realm configurations can we provide a
config option which will disable this check?
-Maxim
>
> Jan.
>
>
>
More information about the Serdev
mailing list