[Users] qop authentication support

Klaus Darilion klaus.mailinglists at pernau.at
Tue Dec 5 14:29:02 CET 2006


One more :-)

It moght be useful to force qop during authentication - e.g. reject 
clients which do not support qop as it enables replay attacks.

I think this breaks compatibility with rfc2543 clients, but IMO it would 
be good if this can be configured.

regards
klaus

Klaus Darilion wrote:
> Klaus Darilion wrote:
>> Hi!
>>
>> Reading openser's docs about qop, it looks like openser supports qop.
>>
>> turning qop on with www_challenge("", "1") activates the qop parameter:
>>
>> WWW-Authenticate: Digest realm="foo.bar", 
>> nonce="457553154ed7b9d93effa4118b4fe21f11b7f887", qop="auth".
>>
>> Openser advertises only qop=auth. Looking at the source code I get the 
>> impression that auth-int is supported too. How can this be activated?
> 
>  From Rfc 3261 how it looks like:
> 
>       WWW-Authenticate: Digest
>               realm="biloxi.com",
>               qop="auth,auth-int",
>               nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
>               opaque="5ccc069c403ebaf9f0171e9517f40e41"
> 
> 
> I guess it should be easy to add this to the auth module. I think it 
> will be useful to allow exact specification of the qop parameter with a 
> bitmask, e.g:
> 
> www_challenge("", "1"): qop="auth"
> www_challenge("", "2"): qop="auth-int"
> www_challenge("", "3"): qop="auth,auth-int"
> 
> 
> Further, I think it can be useful to extend www_authorize (and the 
> radius functions) to return different return codes depending on the 
> authentication problem (e.g. cnonce counter problem, ....).
> 
> Further, does someone have any experience how clients handle qop=auth 
> and qop=auth-int?
> 
> regards
> klaus
> 


-- 
Klaus Darilion
nic.at





More information about the sr-users mailing list