Re: [squid-users] empty basic/digest realm

From: Henrik Nordstr�m <henrik_at_henriknordstrom.net>
Date: Tue, 06 Jul 2010 23:02:05 +0200

I dont question that the rfc allows for an empty realm even if not the intention by the rfc authors. What i ask is why you want to use an empty realm. The realm is there for both usability and security reasons, and i do not see what benefit there would be in using an empty realm compared to something meaningful that the user understands.

----- Ursprungsmeddelande -----
> Hi Henrik,
>
> I am not sure what your point is so I'll be trying to make my point
> again. First of all, the RFC specifies the realm to be a quoted-string
> as you can see here:
>
> realm = "realm" "=" realm-value
> realm-value = quoted-string
>
> In the whole RFC there is no statement that says the realm has to have
> a certain length. So it can also have the length 0 which translates to
> the empty string. I have written an auth helper which is able to cope
> with the empty string as a realm but Squid cannot cope with it. This
> is the reason for my email in the first place.
>
> The empy realm leads to an H(A1) like this: H(A1) == HEX(MD5(login
> "::" password))
> This computes to a perfectly valid MD5 hash with which IE and Firefox
> have no problem.
>
> I hope I have made my intentions more clear now.
>
> Regards,
> Khaled
>
>
> 2010/7/1 Henrik Nordström <henrik_at_henriknordstrom.net>:
> > The normal digest ldap helper in plain text passord mode expects just
> > the plain text password in ldap, without realm.
> >
> > If you store H(A1) value then it`s always realm specific. And to my
> > knowledge there is no basic auth helper capable of verifying to a
> > H(A1) value but technically it can be done regardless of what realm
> > were used in the H(A1).
> >
> > If you use some other helper which expects realm:password or
> > realm:H(A1) then it would most likely expect :H(A1) and not H(A1) if
> > realm is empty.
> >
> > Keep in mind that Digest A1 value is login:realm:password. And H is
> > HEX MD5 which makes H(A1) == HEX(MD5(login ":" realm ":" password))
> >
> > So i still do not quite umderstand what yo want to accomplish with an
> > empty realm.
> >
> > Regards
> > Henrik
Received on Tue Jul 06 2010 - 21:32:47 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 07 2010 - 12:00:14 MDT