I do not have anything against being implemented as per specs, with an
option (a new flag) to auth functions (likely it needs to be done in
several modules that do digest-auth with various backends). I would also
make sense to see what the specs say about an UA to reuse a nonce, if it
something recommended or just some UAs do it for convenience. When the
nonce is returned first time, unlikely that it will expire till the first
usage, expiration happen when the UA uses the nonce from previous
registration, that happened probably minutes ago. Is this something covered
by specs?
Anyhow, setting this option in the default config file is something I don't
consider really good from security point of view. Hitting the database can
be a big performance impact. Adding additional rules to overcome the
potential DoS exposure, such as fail2ban, of course are good, but it also
does not belong to the default config file. There are many options that the
auth modules have, including one-time-nonce, different auth qop, etc. I
think all of these can be added to the advanced config, now located in
misc/examples/pkg/kamailio-oob.cfg.
I prefer to keep kamailio.cfg as a complete-enough but still basic starting
point to build the config file. It will be more negative feedback if the
default config has poor performances and exposes to more security risks
than someone reading the docs and enabling various auth options to tune it
for specific needs.
Actually, so far nobody complained about lack of stale=true, I have seen
some UAs that reused nonce between registrations and typically they don't
ask for a new password if they reused the nonce, only when they got a fresh
one and the auth failed... but could be specific implementation details,
specs should be checked about the reuse of nonce to see what behaviour
should be there.
Cheers,
Daniel
On Wed, Jul 3, 2019 at 7:39 AM Juha Heinanen <jh(a)tutpro.com> wrote:
Daniel-Constantin Mierla writes:
If I haven't missed something, Juha said it
is not good to ask the user
again for introducing the password in the (soft)phone app. The hashed
response (with nonce, realm, password) has to be sent always over the
network, no matter the stale parameter value. So it is just the
inconvenience of the person to type the password, it doesn't impact at
all
what is sent over the network.
I tried to say that if UA send REGISTER request that includes
Authorization header and gets back 401 WWW-Authenticate header without
stale=true, the UA MUST ask the user to enter authentication
username/password again, even when there is nothing wrong with them.
In practice that is in many cases impossible, e.g., when the UA is
in user's pocket. That is why it important that the server includes the
flag in 401 response.
-- Juha
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -
http://www.asipto.com
http://twitter.com/#!/miconda -
http://www.linkedin.com/in/miconda