[sr-dev] Stale nonce for Authentication
Martin Hoffmann
martin.hoffmann at telio.ch
Sat May 28 08:54:49 CEST 2011
Juha Heinanen wrote:
> Martin Hoffmann writes:
>
> > My plan was to eventually start a branch of my own in git. Haven't
> > gotten round to it yet.
> >
> > > i would do it so that if www or proxy_authorize function returns -4
> > > (stale nonce) then i would call www or proxy_challenge with stale flag
> > > on. it would then cause stale=true to be added to the header.
> >
> > That would be an option, too, but IMHO it makes the whole authorization bit
> > in the config unnecessarily messy.
>
> why is that? i now have,
>
> if (!radius_proxy_authorize("$var(uri_domain)", "$var(uri_user)")) {
> switch ($rc) {
> ...
> case -4:
> xlog("L_INFO", "$rm <$ru> by <$var(uri)> has stale nonce\n");
> www_challenge("$td", "1");
> exit;
>
> the only thing i would need to change is www_challenge flag parameter
> value from "1" to "9".
Right. I can live with that. But just to illustrate my point, here is
how my authentication part looks:
if (!proxy_authorize("$fd", "subcriber") {
proxy_challenge("$fd", "9");
drop;
}
I don't really see any reason why I would want the switch and cases when
proxy_challenge() magically does what I want.
> so i propose adding this:
>
> + 8 - build challenge header with stale=true
>
> it would be a simple, fully backwards compatible new feature.
Okay. That would be a completely different albeit much simpler patch
than mine.
Regards,
Martin
More information about the sr-dev
mailing list