Hi all, My SER server use mysql for auth. These days I find a question. If an user have a accounts in mysql datebase of SER server, he can avoid system accounting. For a example, an user have ID: 123456 and he has the password. When he make a call, he send INVTE like this(just a sample): INVITE: sip:111111@iptel.org:5060 SIP/2.0 From: "654321"sip:654321@iptel.org;tag=xxxxxxx To: sip:111111@iptel.org ............ The Ser server reply 407 (authentication request) Then user reply: ack and send INVITE with authentication like INVITE: sip:111111@iptel.org:5060 SIP/2.0 From: "654321"sip:654321@iptel.org;tag=xxxxxxx To: sip:111111@iptel.org Proxy-Authorization: Digest username="123456", realm="iptel.org",nonce="....",uri="123456@iptel.org",reponse="............" (or Proxy-Authorization: Digest username="123456", realm="iptel.org",nonce="....",uri="333333@iptel.org",reponse="............" ) ............ Then the user pass the authentication using his ID, and he make call using other ID
When register to Ser server, he can use same way to help 401 auth.
I try it on my Ser server and it passed! How to avoid it?
Jimmy 2/9/04