THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
The following task has a new comment added:
FS#499 - add support to auth_db to validate source IP address
User who did this - Emmanuel Schmidbauer (eschmidbauer)
----------
Also @Olle, embedding this into the module does not provide less flexibility, you can continue to use your methods and completely ignore this patch.
----------
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1727
You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.
THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
The following task has a new comment added:
FS#499 - add support to auth_db to validate source IP address
User who did this - Alex Hermann (axlh)
----------
1. The module and function are for verifying digest authentication, i don't think IP checking should be part of it. It is illogical and confusing.
>From the module overview: "This module contains _all_ authentication related functions that need the access to the database."
I don't see anything about the module only being used to verify digest authentication.
The module and functions are about __authentication__. I think IP checks are more an __authorization__ thing.
2. The functionality is enable by overloading the configuration of a table column name. Not very in intuitive.
The functionality is enabled by ADDING the column name to the configuration, if it is not added, then the functionality is disabled.
The configuration item is for specifying the column name. You overloaded it by using it to en-/disable functionality.
3. The function is limited to only a single ip(-range) per username; not very flexible. The already existing method of achieving the very same functionality is already present in the ipops and, in a more flexible way, the permissions module.
I fail to see how it can easily be done using ipops and permissions. Permissions does not do dynamic SQL queries (you must load/reload your IP addresses). That being said, it cannot be achieved using ipops and permissions. If I am mistaken about this, please provide an example.
Daniel already gave the answer, but i'll expand on it:
Add or change:
modparam("auth_db", "load_credentials", "$var(ip)=ip_address")
Change:
if (proxy_authenticate(realm, table)) {
to:
if (proxy_authenticate(realm, table) and is_in_subnet($si, $var(ip))) {
4. The functionality is so very trivial to implement in the config script using the ipops module (only taking 2 lines of script), i don't think the additional maintenance burden for the C code is worth it.
And there is not much maintenance burden unless another version of IP becomes prevalent.
The code base will become (more) bloated and eventually unmaintainable if everything but the kitchen sink will be coded into it. IMHO only functionality that is hard or impossible to do in the script should be coded in C. Kamailio is not my project, so it's not up to me to decide, but, as a contributor already having spent a lot of time digging through the existing code, i would appreciate it if the code would not be expanded by more trivial and/or (imho) misplaced functionality.
----------
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1726
You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.
THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
The following task has a new comment added:
FS#499 - add support to auth_db to validate source IP address
User who did this - Emmanuel Schmidbauer (eschmidbauer)
----------
@Daniel-Constantin
Who defines authentication? Their can be many variables to authentication, much more than just user/pass. As I said before, most VoIP systems will do IP authentication along with user/pass. This is important to prevent toll fraud.
@Olle
permissions does not dynamically do a database query, you need to load/reload the list. This is not the same behavior.
----------
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1725
You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.
THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
The following task has a new comment added:
FS#499 - add support to auth_db to validate source IP address
User who did this - Olle Johansson (oej)
----------
I think this is not needed. I use the extra fields in auth_db to define a group that - if it exists - I use in the permissions module. If auth succeeds but permissions check fail, I challenge again.
Embedding it in the same module gives much less flexibility.
----------
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1724
You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.
THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
The following task has a new comment added:
FS#499 - add support to auth_db to validate source IP address
User who did this - Daniel-Constantin Mierla (miconda)
----------
For clarification of "This module contains _all_ authentication related functions that need the access to the database."
Authentication is asserting the identity of user by username and password. IP check is more authorization -- once user is authenticated, you come up with a restriction to authorize its traffic from a limited set of IP addresses. Thus it is not like you suggest that such feature belongs here.
>From my point of view, I already expressed the opinion that the patch needs to be discussed, because from feature point of view all was there at an expense of a just 2-3 extra lines of config file. Therefore I suggested to discuss on sr-dev, but it is good that we have more opinions here as well.
----------
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1723
You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.
THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
The following task has a new comment added:
FS#499 - add support to auth_db to validate source IP address
User who did this - Emmanuel Schmidbauer (eschmidbauer)
----------
I will go down the list and reply to each one:
1. The module and function are for verifying digest authentication, i don't think IP checking should be part of it. It is illogical and confusing.
>From the module overview: "This module contains _all_ authentication related functions that need the access to the database."
I don't see anything about the module only being used to verify digest authentication.
2. The functionality is enable by overloading the configuration of a table column name. Not very in intuitive.
The functionality is enabled by ADDING the column name to the configuration, if it is not added, then the functionality is disabled.
I designed it that way to allow people to upgrade their code and not ADD the functionality unless they wanted it.
3. The function is limited to only a single ip(-range) per username; not very flexible. The already existing method of achieving the very same functionality is already present in the ipops and, in a more flexible way, the permissions module.
I fail to see how it can easily be done using ipops and permissions. Permissions does not do dynamic SQL queries (you must load/reload your IP addresses). That being said, it cannot be achieved using ipops and permissions. If I am mistaken about this, please provide an example.
4. The functionality is so very trivial to implement in the config script using the ipops module (only taking 2 lines of script), i don't think the additional maintenance burden for the C code is worth it.
Again, I do not see how to implement this in ipops. And there is not much maintenance burden unless another version of IP becomes prevalent.
5. The added functionality is undocumented.
I would be happy to document the functionality.
6. There is no return code to recognize the reason why "authentication" failed.
The return code is same as if authentication failed. Would you prefer a different return code? If so, let me know what return code should be used.
Please understand, I wrote this patch from the standpoint of a VoIP system administrator. IP Authentication coupled with password authentication is almost a necessity in most VoIP systems. Of course there are certainly ways to achieve this goal using what I would call "workarounds", like a perl script or messing with loading SQL data and running it against an ipops functions, but these methods are not documented nor a straightforward approach. Adding the IP restriction capability to the auth_db database makes the entire process straightforward and easy to maintain. I would be happy to re-write any of my code to meet the requirements for it to be pushed into auth_db. I will use my patch whether it is pushed into auth_db codebase or not, I would prefer not to run my own branch of kamailio though. I also think many other people could benefit from this patch.
----------
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1722
You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.
THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
The following task has a new comment added:
FS#499 - add support to auth_db to validate source IP address
User who did this - Alex Hermann (axlh)
----------
While i value contributions to Kamailio in general, i'm opposed to this one for several reasons, mainly because it is in the wrong place and completely redundant.
- The module and function are for verifying digest authentication, i don't think IP checking should be part of it. It is illogical and confusing.
- The functionality is enable by overloading the configuration of a table column name. Not very in intuitive.
- The function is limited to only a single ip(-range) per username; not very flexible. The already existing method of achieving the very same functionality is already present in the ipops and, in a more flexible way, the permissions module.
- The functionality is so __very__ trivial to implement in the config script using the ipops module (only taking 2 lines of script), i don't think the additional maintenance burden for the C code is worth it.
- The added functionality is undocumented.
- There is no return code to recognize the reason why "authentication" failed.
I don't think this change should be accepted into Kamailio.
----------
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1721
You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.
i added debug to xmlrpc/rpc_fault():
static void rpc_fault(rpc_ctx_t* ctx, int code, char* fmt, ...)
{
LM_INFO("running rpc_fault '%d'/'%s'\n", code, fmt);
and got this:
### from ngrep
HTTP/1.1 200 OK.
Via: SIP/2.0/TCP 127.0.0.1:52948.
Server: OpenXg SIP Proxy (4.3.0-0 (i386/linux)).
Content-Length: 108.
.
<?xml version="1.0"?>
<methodResponse>
<params>
<param>
<value></value>
</param>
</params>
</methodResponse>
### from syslog
Dec 3 09:06:13 rautu /usr/bin/sip-proxy[19727]: INFO: xmlrpc [xmlrpc.c:917]: rpc_fault(): running rpc_fault '500'/'Wrong ETag'
the dummy xmlrpc reply is thus sent by somebody before
rpc->fault(c, 500, "Wrong ETag");
has a change to do its job.
-- juha
THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
The following task has a new comment added:
FS#499 - add support to auth_db to validate source IP address
User who did this - Emmanuel Schmidbauer (eschmidbauer)
----------
Thanks for your response. I've attached a new version of the patch to work with CIDR notation as you requested.
Please consider pushing my patch to auth_db as I think it's very useful to "bake in" this feature to auth_db.
----------
One or more files have been attached.
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1720
You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.