[Serusers] cisco 7960 authentication failure

Jan Janak jan at iptel.org
Wed Sep 10 17:04:48 CEST 2003


On 10-09 16:53, Jakob Schlyter wrote:
> On Wed, 10 Sep 2003, Jan Janak wrote:
> 
> >    You must use ./gen_ha1 jakob at schlyter.net schlyter.net ser2003 to get
> >    the same hash.
> 
> does the internal ha1 calcualtion tries to match both username at domain and
> only username? it seems to me it only tries to match the hash for
> username.

  There was a bug in the digest code (discovered by Andrei), if you use
  calc_ha1 and "jakob at schlyter.net" in the digest username then the
  server will not authenticate you.

  You have two choices, either update the server from the stable branch
  of the CVS where the problem is fixed or use only "jakob" in the
  digest username.

> >    The reason is that you have realm in the username. A user agent that
> >    sent the credentials above also calculate the response using
> >    "jakob at schlyter.net" as username so you must do the same.
> 
> I though ser was doing the hashing since i set calculate_ha1=1.

   Yes, but if you have calculate_ha1=1 then you don't need gen_ha1. I
   thought you wanted to generate HA1 strings and insert them into the
   database.

> >    BTW you don't have to put @chlyter.net into the username, it is not
> >    mandatory, you can use just "jakob".
> 
> how could it separate jakob at schlyter.se and (some other) jakob at example.com
> user if I don't put the domain in the username?

  Separate ? If you enter username and password in your user agent then
  it should display the realm to you so you know for which realm are the
  credentials used.

  Example:

  Please enter username and password for realm "iptel.org":
  Username:
  Password:

  It is the server who chooses the realm/domain. User agents can't
  change it.

  What exactly are you trying to achieve ?

    Jan.




More information about the sr-users mailing list