On Apr 13, 2004, at 11:13 AM, Jim Jagielski wrote:
static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char *name)
{
@@ -3395,6 +3446,9 @@
"An HTTP authorization type (e.g., \"Basic\")" },
{ "AuthName", set_authname, NULL, OR_AUTHCFG, TAKE1,
"The authentication realm (e.g. \"Members Only\")" },
+{ "AuthNonce", set_authnonce, NULL, OR_AUTHCFG, TAKE1,
+ "An authentication token which should be different for each logical realm. "\
+ "A random value or the servers IP may be a good choise.\n" },
Surely this advice is not good - this value (according to my reading) is the only secret that prevents forgery of nonces. OTOH, its late, and I may not be thinking clearly about this - in fact, I'm suspecting that forgery of nonces is not an issue - the issue is using the same nonce in different realms - but I'll send this anyway just so it gets discussed.
Also, this isn't really a nonce - the constructed value is - this is a nonce seed, or something along those lines.
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
