Andreas Winkelmann wrote:
Hi all.
In another list someone shows an Error-Message from the digest-md5 Plugin:
"xxx: realm changed: authentication aborted".
I would like to get more information on this error. This error message
is a good indicator that the client is broken.
This happens if the Realm (Server->Client) in Step 1 is diffrent from the
Realm (Client->Server) in Step 2.
In RFC 2831 the Description of the Realm out of Step 2 is described as:
realm
The realm containing the user's account. This directive is
required if the server provided any realms in the
"digest-challenge", in which case it may appear exactly once and
its value SHOULD be one of those realms. If the directive is
missing, "realm-value" will set to the empty string when computing
A1 (see below for details).
The Value in Step 2 "SHOULD" be one of the Values passed in Step 1.
The "SHOULD" is realized as a "MUST" in Cyrus-SASL. Is this really ok or is
this something which should better be changed?
Here is some background for why the SHOULD is used in the text you
quoted: The server can support one or more realms, but it might not
advertise some of them (i.e. not send them to the client). The client
can pick one of the realms sent by the server or it can pick something
else if it specifically configured to do so. That "something else" still
has to be accepted by the server.
Cyrus SASL server never "hides" any of the realms it supports, so the
client must pick one of the ones sent by the server. So I think the
current coded behavior is correct.
