Cyrus-SASL 2.1.22 DIGEST-MD5 and RFC2831
Alexey Melnikov
alexey.melnikov at isode.com
Mon Jan 29 09:59:39 EST 2007
Andreas Winkelmann wrote:
>Hi all.
>
>In another list someone shows an Error-Message from the digest-md5 Plugin:
>
>"xxx: realm changed: authentication aborted".
>
>
I would like to get more information on this error. This error message
is a good indicator that the client is broken.
>This happens if the Realm (Server->Client) in Step 1 is diffrent from the
>Realm (Client->Server) in Step 2.
>
>In RFC 2831 the Description of the Realm out of Step 2 is described as:
>
> realm
> The realm containing the user's account. This directive is
> required if the server provided any realms in the
> "digest-challenge", in which case it may appear exactly once and
> its value SHOULD be one of those realms. If the directive is
> missing, "realm-value" will set to the empty string when computing
> A1 (see below for details).
>
>The Value in Step 2 "SHOULD" be one of the Values passed in Step 1.
>The "SHOULD" is realized as a "MUST" in Cyrus-SASL. Is this really ok or is
>this something which should better be changed?
>
>
Here is some background for why the SHOULD is used in the text you
quoted: The server can support one or more realms, but it might not
advertise some of them (i.e. not send them to the client). The client
can pick one of the realms sent by the server or it can pick something
else if it specifically configured to do so. That "something else" still
has to be accepted by the server.
Cyrus SASL server never "hides" any of the realms it supports, so the
client must pick one of the ones sent by the server. So I think the
current coded behavior is correct.
More information about the Cyrus-sasl
mailing list