-
If router require authenticate, the Client send hello message with a valid realm and non-exist userid, should the router reply ABORT message or continue CHALLENGE progress and then ABORT it after AUTHENTICATE? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 8 replies
-
It is better from a security standpoint to not give any information that would allow an attacker to determine if a userid exists (e.g. "root" or "admin"). Thus, it is more secure to proceed as if the userid exists, issue the CHALLENGE, and then fail after AUTHENTICATE. See https://security.stackexchange.com/questions/17816 There is the |
Beta Was this translation helpful? Give feedback.
That statechart also includes the CHALLENGE and AUTHENTICATE messages. When the statechart was added to the spec (I'm the one who contributed that statechart in graphical format, by the way), we didn't bother to make two versions for the basic and advanced profiles.
"To request authentication" means that the router wants to request authentication. The router requests authentication by sending a CHALLENGE, where it expects an AUTHENTICATION in response. The client can only ask for authentication methods in its HELLO message.
I can see how it could be…