Khaled Blah wrote:
Sorry for my late reply, Henrik. I want to be able to use an empty
realm because we use Digest Auth in conjunction with an LDAP backend.
In this LDAP backend the admin can specifiy combinations of
<realm>:<password> or <realm>:<H(A1)>. The empty realm would thus lead
to either <password> or <H(A1)> standing by themselves. We want to
support this latter case as well and the empty realm would make that a
lot easier.
Regards,
Khaled
Unless I'm confused and mixing up my protocols ... the realm is used as
salting value and HA(1) is compared to a hash sent by the user combining
realm+user+password. Very hard for the user to generate a secure hash
correctly when the realm salt is empty.
Amos
2010/6/22 Henrik Nordström <henrik@xxxxxxxxxxxxxxxxxxx>:
tis 2010-06-22 klockan 00:22 +0200 skrev Khaled Blah:
That's not completely true. RFC 2617 states that the realm of either
digest/basic auth is a quoted string but it doesn't say that this
string has to be a minimum number of characters.
True, but is clearly not the intention that this should be empty.
I asked why you want to use an empty realm.
Regards
Henrik
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.4
