After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 586755 - Localized realm in the passwd file doesn't work
Localized realm in the passwd file doesn't work
Status: RESOLVED FIXED
Product: gnome-user-share
Classification: Core
Component: general
unspecified
Other Linux
: Normal major
: ---
Assigned To: gnome-user-share maintainers
gnome-user-share maintainers
Depends on:
Blocks:
 
 
Reported: 2009-06-23 14:10 UTC by Tomas Bzatek
Modified: 2009-06-26 09:31 UTC
See Also:
GNOME target: ---
GNOME version: 2.27/2.28


Attachments
0001-Retrieve-the-realm-string-from-the-passwd-file.patch (2.57 KB, patch)
2009-06-23 14:39 UTC, Tomas Bzatek
none Details | Review

Description Tomas Bzatek 2009-06-23 14:10:34 UTC
Password protected sharing via gnome-user-share stops working under localized desktop session.

Repro steps:
1. LANGUAGE=cs_CS.UTF-8 gnome-file-share-properties
2. Activate "Share public files on network", select Always require password and enter your password
3. the ~/.config/user-share/passwd file would look like 
guest:Přihlaste se prosím jako host:835b2224c3cbb7070b1507923edb2694
 (forget about the wrong localization now, "guest" should not be localized)
4. notice the localized realm (the prompt message)
5. running gnome-user-share daemon will fall back to the "C" locale, presenting user an unlocalized realm string "Please log in as the user guest"

Some findings:
 - by using mod_auth_digest authentication, the realm string is mandatory

 - username matching in the passwd files is done with respect to the realm string, they should be equal, otherwise we get the following error from apache:
"Digest: user `guest' in realm `Please log in as the user guest' not found: /"

 - as long as the triplet "user:realm:password" is encoded as the password in the MD5 digest (and this is the one apache sends back as a reply), we should present this to apache (and to the user)
   explanation:
     - the passwd file looks like "user:realm:digest"
     - the digest itself is MD5-encoded string "user:realm:password"
     - so the line in passwd represents "user:realm:MD5(user:realm:password)"
     - the apache sends back the digest part, it should know the right realm

Open questions:
 - UTF-8 issues: passing UTF-8 encoded string as the AuthName directive makes troubles with firefox, fortunately gvfsd-dav shows this string correctly.
Comment 1 Tomas Bzatek 2009-06-23 14:39:27 UTC
Created attachment 137252 [details] [review]
0001-Retrieve-the-realm-string-from-the-passwd-file.patch

So my idea for the fix was to parse the passwd file on startup, extract the realm string and pass it as the AuthName directive (via the GUS_LOGIN_LABEL env. var.)

Testing on my system with httpd-2.2.11 (Fedora 11) it still doesn't work, the realm is presented correctly localized and there's no error in the log file (with debug turned on). Apparently the authentication succeeded but apache still returns 401 Authorization Required. The weird thing is that the password prompt won't show up for the second time (as you would expect when the credentials entered are not valid) but throws an error right after the first try.

Any ideas on this would be welcomed, there's very little documentation about mod_auth_digest and no way to turn more verbose debug messages.
Comment 2 Tomas Bzatek 2009-06-23 14:41:32 UTC
The other way might be to mark the realm string as not localizable so gnome-file-share-properties would always create a non-localized passwd file and the prompt message during mount (gvfsd-dav) will stay English as well.
Comment 3 Bastien Nocera 2009-06-25 14:00:32 UTC
I'm thinking of using mod_auth instead of mod_auth_digest, so we could do away with the realm completely. Joe, what do you think?
Comment 4 Tomas Bzatek 2009-06-25 14:19:23 UTC
From what I learned the downside of mod_auth is the password being transferred as a plain text, so without SSL it's publicly readable. Not sure if mod_auth_digest sets up some kind of secure link at the beginning of the auth process though.
Comment 5 jorton 2009-06-25 16:19:35 UTC
Do you mean "mod_auth_basic instead of mod_auth_digest"?

In HTTP there is no support for i18n realm strings in either Basic or Digest; all that is interoperable is to send ASCII strings.  The realm (AuthName xxx) is required for both.

Using an instructive phrase as the realm is not really a great idea anyway, you don't have any control over the client's presentation of the string.
Comment 6 Bastien Nocera 2009-06-26 09:31:50 UTC
Thanks Joe for the heads up.

commit f77498214f945c988a0bcbe570782dcaf37e771d
Author: Bastien Nocera <hadess@hadess.net>
Date:   Fri Jun 26 10:30:42 2009 +0100

    Bug 586755 – Localized realm in the passwd file doesn't work
    
    And apparently, they're not supposed to either... So remove the
    translation for the realm instead.