[Serusers] cisco 7960 authentication failure

Jan Janak jan at iptel.org
Wed Sep 10 13:53:44 CEST 2003 

On 10-09 07:50, Jakob Schlyter wrote:
> On Wed, 10 Sep 2003, Jan Janak wrote:
> 
> >  domain in username attribute must be same as the value of realm
> >  attribute.
> 
> because of the implementation in ser? I understand this is not the case
> for digest authentication in general, no? According to RFC2617, the realm
> doesn' even have to be a domain.

  Yes, this is our policy. The realm is only a string, nothing more.
  Since a message can contain several digest credentials headers, the realm is
  used to distinguish among them. So, you configure your proxy to use
  one particular realm and it then tries to find credentials with that
  realm and ignores any other.

> anyway, after changing the realm to "" I get the data below. it seems to
> me that the internal calculate_ha1 (I use calculate_ha1=1) gets the wrong
> hash?

  If you use www_challenge("") and www_authorize("") then the server
  extracts the realm from the message. If it is REGISTER then the From
  domain will be used, otherwise the To domain will be used.

>  WWW-Authenticate: Digest realm="schlyter.net",
>  nonce="3f5ebb4f2b39fb9cddbaf991430cebc22b0c3d30", qop="auth"

   This is the challenge that will be sent to the user.

>  Authorization: Digest username="jakob at schlyter.net",realm="schlyter.net",
>  uri="sip:schlyter.net",response="3d38e621a815df0c2589656c294b9129",
>  nonce="3f5ebb4f2b39fb9cddbaf991430cebc22b0c3d30",cnonce="77390415",
>  qop=auth,nc=00000001,algorithm=m
> 
>  0(27788) HA1 string calculated: 5e860120544c1454fee11f18b334e4ed
>  0(27788) check_response(): Our result = '2544fd772b025e8ce54da191166ea319'
> 
> however,
> 
>  itodenwa> ./gen_ha1 jakob schlyter.net ser2003
>  5e860120544c1454fee11f18b334e4ed
> 
 
   You must use ./gen_ha1 jakob at schlyter.net schlyter.net ser2003 to get
   the same hash.

   The reason is that you have realm in the username. A user agent that
   sent the credentials above also calculate the response using
   "jakob at schlyter.net" as username so you must do the same.

   BTW you don't have to put @chlyter.net into the username, it is not
   mandatory, you can use just "jakob".

   The reason why do we handle this special case (realm in username) is
   that there are some user agents which put this into username
   automatically and it can't be switched off. Also, realm parameter in
   the credentials is not protected by the hash so from time to time
   people prefer to include the realm into the username parameter which
   is protected by the hash.

      Jan.

More information about the sr-users mailing list