Hi!
Reading openser's docs about qop, it looks like openser supports qop.
turning qop on with www_challenge("", "1") activates the qop parameter:
WWW-Authenticate: Digest realm="foo.bar", nonce="457553154ed7b9d93effa4118b4fe21f11b7f887", qop="auth".
Openser advertises only qop=auth. Looking at the source code I get the impression that auth-int is supported too. How can this be activated?
regards klaus
Klaus Darilion wrote:
Hi!
Reading openser's docs about qop, it looks like openser supports qop.
turning qop on with www_challenge("", "1") activates the qop parameter:
WWW-Authenticate: Digest realm="foo.bar", nonce="457553154ed7b9d93effa4118b4fe21f11b7f887", qop="auth".
Openser advertises only qop=auth. Looking at the source code I get the impression that auth-int is supported too. How can this be activated?
From Rfc 3261 how it looks like:
WWW-Authenticate: Digest realm="biloxi.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"
I guess it should be easy to add this to the auth module. I think it will be useful to allow exact specification of the qop parameter with a bitmask, e.g:
www_challenge("", "1"): qop="auth" www_challenge("", "2"): qop="auth-int" www_challenge("", "3"): qop="auth,auth-int"
Further, I think it can be useful to extend www_authorize (and the radius functions) to return different return codes depending on the authentication problem (e.g. cnonce counter problem, ....).
Further, does someone have any experience how clients handle qop=auth and qop=auth-int?
regards klaus
One more :-)
It moght be useful to force qop during authentication - e.g. reject clients which do not support qop as it enables replay attacks.
I think this breaks compatibility with rfc2543 clients, but IMO it would be good if this can be configured.
regards klaus
Klaus Darilion wrote:
Klaus Darilion wrote:
Hi!
Reading openser's docs about qop, it looks like openser supports qop.
turning qop on with www_challenge("", "1") activates the qop parameter:
WWW-Authenticate: Digest realm="foo.bar", nonce="457553154ed7b9d93effa4118b4fe21f11b7f887", qop="auth".
Openser advertises only qop=auth. Looking at the source code I get the impression that auth-int is supported too. How can this be activated?
From Rfc 3261 how it looks like:
WWW-Authenticate: Digest realm="biloxi.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"I guess it should be easy to add this to the auth module. I think it will be useful to allow exact specification of the qop parameter with a bitmask, e.g:
www_challenge("", "1"): qop="auth" www_challenge("", "2"): qop="auth-int" www_challenge("", "3"): qop="auth,auth-int"
Further, I think it can be useful to extend www_authorize (and the radius functions) to return different return codes depending on the authentication problem (e.g. cnonce counter problem, ....).
Further, does someone have any experience how clients handle qop=auth and qop=auth-int?
regards klaus
-
Klaus Darilion