On Thu, Jul 1, 2010 at 6:01 PM, Iñaki Baz Castillo ibc@aliax.net wrote:
2010/7/1 Jan Janak jan@ryngle.com:
With SER the above problem would be solved by using the same realm for all the users and domains, but with a constrain: the "username" field of the creedentials generated by the user should be a full URI "sip:alice@example.org" (or perhaps also "alice@example.org"), so the auth module would parse the username and domain from the credentials "username" field.
And this too can already be done, you can simply set the value of the digest_realm variable with something like:
$f.digest_realm = @authorization[...].username.domain
Could you please detail more this code? Let me set an example:
Sorry, I don't have an example at hand, it's been a while since I worked on this.
- SR multidomain and two users:
- sip:alice@dom1.org - realm = "myserver.org" - sip:alice@dom2.org - realm = "myserver.org"
- An INVITE arrives sent by alice@dom1.org:
INVITE sip:bob@dom3.org SIP/2.0 From: sip:anonymous@invalid-domain.org
SR asks for authentication using the shared realm "myserver.org".
Let's imagine the UAC sets credentials in these ways:
4.1) Digest realm="myserver.org", username="alice" 4.2) Digest realm="myserver.org", username="alice@dom1.org" 4.3) Digest realm="myserver.org", username="sip:alice@dom1.org"
So, option 4.1 wouldn't clarify if the authenticated user is "sip:alice@dom1.org" or "sip:alice@dom2.org". This is, if the UAC just sets its AoR username in the credentials 'username' field then the above case cannot work as it would require the proxy using a different realm = domain and the INVITE request to contain the domain somewhere (i.e. P-Preferred-Identity header which is not the case).
This seems correct to me.
An alternative solution would be making the username 'alice' unique across all domains supported on the server. Then you could deduce the virtual domain from the username. Although feasible, this scenario is not common and I mention it just for completeness.
Option 4.2 would work as from the credentials the proxy can identity "sip:alice@dom1.org", but IMHO the credentials username format should be an AoR (with the schema).
Whether or not the schema should be included is something we can argue about, but in the end it does not really matter because it is not standard anyway. You can choose whichever way you like more and what your UAs support.
Options 4.3 seems the best one for me, but not sure if it's feasible with the currently existing UA's.
If the UA allows you to enter the username for digest authentication explicitly then it probably will be supported. In fact, from what I have seen on iptel.org, this is quite common configuration mistake.
The column ha1b in the subscriber table exists exactly for this case. That is, if you have calc_ha1 disabled and the UA sends a username with '@' in it, SR automatically uses the column ha1b instead of ha1. The difference between ha1 and ha1b is that the hash in ha1b is calculated as MD5(username@realm:realm:password), while ha1 is calculated as MD5(username:realm:password). So you've got both cases covered and you can still disable calculate_ha1.
before calling proxy_authenticate. Any part of the SIP message can be used to set digest realm.
The problem is that in the above INVITE there is no way to choose the realm based on the SIP headers.
If there is nothing that identifies the domain then there isn't much you can do. Though I've seen UAs that send "empty" digest credentials with just username and no nonce or response attributes, that could be used in such case.
Note that this would also work with calc_ha1 set to 0. The subscriber table contains a column called ha1b which is used when the UA supplies digest username of form "user@domain".
Yes, but would it work in case of "sip:user@domain"?
I am not sure, you'll need to check the code. I wrote that part 8 years ago and I don't remember if I check for the presence of scheme. ;-).
-Jan