I'm involved in setting up a Kamailio instance and was hoping to make use of the auth_ephemeral module for authentication. But the module documentation doesn't quite make clear how exactly the module is to be employed or the web service set up. Does anyone have a working example?
Regards, Hemanshu Vadehra hemanshu.v@directi.com
Hello,
You have to write the web-service yourself. The IETF draft referenced in the module documentation explains how the web-service should construct the credentials - the coding for this is trivial.
The mechanism the web-service uses to authenticate the user in the first place (and decide whether to issue credentials or not) will vary from application to application and is entirely up to you.
Regards,
Peter
-- Peter Dunkley Technical Director Crocodile RCS Ltd
On 21 Nov 2013, at 03:09, Hemanshu Vadehra hemanshu.v@directi.com wrote:
I'm involved in setting up a Kamailio instance and was hoping to make use of the auth_ephemeral module for authentication. But the module documentation doesn't quite make clear how exactly the module is to be employed or the web service set up. Does anyone have a working example?
Regards, Hemanshu Vadehra hemanshu.v@directi.com
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi Peter Dunkley or anyone else who can throw me some clue,
I'm interested in using the auth_ephemeral module to authenticate registrations with the help of an external web service.
But I'm reading and reading the documentation and I'm clearly missing something.
The document starts by describing how "the web service" should work. I understand fully that I must implement this web service.
But nowhere in the documentation with auth_ephemeral do you tell the module the URL where the service is found.
Whilst the Makefile includes libcurl when static linking is used, there are no calls to the curl library in the auth_ephemeral module, or to socket() or connect().
So I don't see that this module can act as a client to the documented web service?
What am I failing to understand?
Thanks, Steve
Hello,
looking in the makefile, the linking to libcurl is commented, so not really used.
I guess you can use other modules such as http_client to interact with the web service. The jansson module can be used to parse the result.
Also, it should be possible to do it without interacting with the web service, because you can compute the password using the shared secret key. So, in this case, Kamailio doesn't need to interact with the web service.
Cheers, Daniel
On 17/01/2017 12:53, Steve Davies wrote:
Hi Peter Dunkley or anyone else who can throw me some clue,
I'm interested in using the auth_ephemeral module to authenticate registrations with the help of an external web service.
But I'm reading and reading the documentation and I'm clearly missing something.
The document starts by describing how "the web service" should work. I understand fully that I must implement this web service.
But nowhere in the documentation with auth_ephemeral do you tell the module the URL where the service is found.
Whilst the Makefile includes libcurl when static linking is used, there are no calls to the curl library in the auth_ephemeral module, or to socket() or connect().
So I don't see that this module can act as a client to the documented web service?
What am I failing to understand?
Thanks, Steve
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi Daniel,
On 17 January 2017 at 14:15, Daniel-Constantin Mierla miconda@gmail.com wrote:
I guess you can use other modules such as http_client to interact with the web service. The jansson module can be used to parse the result.
Also, it should be possible to do it without interacting with the web service, because you can compute the password using the shared secret key. So, in this case, Kamailio doesn't need to interact with the web service.
Thanks for that, and to Carsten who also sent explanation.
It seems like all that documentation about the web service is indeed a red-herring since the module is neither a client nor a provider of such a service. There is no obligation to implement such a service as documented - since in any event auth_ephemeral neither implements nor consumes this web service.
All auth_ephemeral does it to authenticate clients using a secret (password) that is encrypted using a shared key. auth_ephemeral I guess decrypts the secret which is structured so that auth_ephemeral can tell that it is legit and unexpired.
Do I have this right?
Gotta say that the docs really don't make this clear.
Thanks, Steve
Hi,
I don't know, who's responsible for approving bigger messages - if present, please approve my message for completeness of this thread... :-)
You are right - except that it doesn't really decrypt the secret, it only creates a hash identical to the one create by the Webservice and compares the hash.
Thanks, Carsten
2017-01-17 14:38 GMT+01:00 Steve Davies steve-lists-srusers@connection-telecom.com:
Hi Daniel,
On 17 January 2017 at 14:15, Daniel-Constantin Mierla miconda@gmail.com wrote:
I guess you can use other modules such as http_client to interact with the web service. The jansson module can be used to parse the result.
Also, it should be possible to do it without interacting with the web service, because you can compute the password using the shared secret key. So, in this case, Kamailio doesn't need to interact with the web service.
Thanks for that, and to Carsten who also sent explanation.
It seems like all that documentation about the web service is indeed a red-herring since the module is neither a client nor a provider of such a service. There is no obligation to implement such a service as documented - since in any event auth_ephemeral neither implements nor consumes this web service.
All auth_ephemeral does it to authenticate clients using a secret (password) that is encrypted using a shared key. auth_ephemeral I guess decrypts the secret which is structured so that auth_ephemeral can tell that it is legit and unexpired.
Do I have this right?
Gotta say that the docs really don't make this clear.
Thanks, Steve
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On 17/01/2017 14:58, Carsten Bock wrote:
Hi,
I don't know, who's responsible for approving bigger messages - if present, please approve my message for completeness of this thread... :-)
Done!
Cheers, Daniel
You are right - except that it doesn't really decrypt the secret, it only creates a hash identical to the one create by the Webservice and compares the hash.
Thanks, Carsten
2017-01-17 14:38 GMT+01:00 Steve Davies steve-lists-srusers@connection-telecom.com:
Hi Daniel,
On 17 January 2017 at 14:15, Daniel-Constantin Mierla miconda@gmail.com wrote:
I guess you can use other modules such as http_client to interact with the web service. The jansson module can be used to parse the result.
Also, it should be possible to do it without interacting with the web service, because you can compute the password using the shared secret key. So, in this case, Kamailio doesn't need to interact with the web service.
Thanks for that, and to Carsten who also sent explanation.
It seems like all that documentation about the web service is indeed a red-herring since the module is neither a client nor a provider of such a service. There is no obligation to implement such a service as documented - since in any event auth_ephemeral neither implements nor consumes this web service.
All auth_ephemeral does it to authenticate clients using a secret (password) that is encrypted using a shared key. auth_ephemeral I guess decrypts the secret which is structured so that auth_ephemeral can tell that it is legit and unexpired.
Do I have this right?
Gotta say that the docs really don't make this clear.
Thanks, Steve
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
On 17/01/2017 14:38, Steve Davies wrote:
Hi Daniel,
On 17 January 2017 at 14:15, Daniel-Constantin Mierla <miconda@gmail.com mailto:miconda@gmail.com> wrote:
I guess you can use other modules such as http_client to interact with the web service. The jansson module can be used to parse the result. Also, it should be possible to do it without interacting with the web service, because you can compute the password using the shared secret key. So, in this case, Kamailio doesn't need to interact with the web service.Thanks for that, and to Carsten who also sent explanation.
It seems like all that documentation about the web service is indeed a red-herring since the module is neither a client nor a provider of such a service. There is no obligation to implement such a service as documented - since in any event auth_ephemeral neither implements nor consumes this web service.
All auth_ephemeral does it to authenticate clients using a secret (password) that is encrypted using a shared key. auth_ephemeral I guess decrypts the secret which is structured so that auth_ephemeral can tell that it is legit and unexpired.
Do I have this right?
Gotta say that the docs really don't make this clear.
The password used for SIP authentication is not decrypted. It is about how the password is generated, so that the same value results when done by web service and the sip server. The javascript relies on the webservice to provides an short-term valid password. auth_ephemeral does the same kind of processing as the webservice and should get the same password. Using this password it computes the Digest response and if there is match, then authentication is ok.
I guess you can still fetch the password through a web service in kamailio.cfg (using http_client) and then use it with:
https://www.kamailio.org/docs/modules/stable/modules/auth_ephemeral.html#aut...
If you can make the documentation more clear, contributions are welcome -- the easiest would be pull request on github.
Cheers, Daniel
Hi,
the idea between ephemeral passwords is, that any webservice can create username/passwords without explicitly provisioning them on the other servers. The auth_ephemeral module does not provide the webserver, but only the compability to authenticate based on a shared secret.
You may e.g. use the following PHP function to create a username, which is valid for the next 3 hours (3*3600):
function getEphemeralUsername($username) { $timeout = time () + (3 * 3600); return $timeout . ':' . $username; }
With this "temporary username" and the shared secret, you can now create a temporary password:
function getEphemeralPassword($temporary_user, $shared_secret) { return base64_encode ( hash_hmac ( 'sha1', $temporary_user, $shared_secret, true ) ); }
$secret = "imsrulez"; $username = getEphemeralUsername('steve'); // Creates: '<-unix-timestamp:valid until->:steve' $password = getEphemeralPassword($username, $secet);
The documation refers to any website, which could provide the username/password (e.g. even a homepage without any API interaction).
On Kamailio, you can now verify the username/password, if you configure the same "shared password":
modparam("auth_ephemeral", "secret", "imsrulez")
Thanks, Carsten
2017-01-17 12:53 GMT+01:00 Steve Davies steve-lists-srusers@connection-telecom.com:
Hi Peter Dunkley or anyone else who can throw me some clue,
I'm interested in using the auth_ephemeral module to authenticate registrations with the help of an external web service.
But I'm reading and reading the documentation and I'm clearly missing something.
The document starts by describing how "the web service" should work. I understand fully that I must implement this web service.
But nowhere in the documentation with auth_ephemeral do you tell the module the URL where the service is found.
Whilst the Makefile includes libcurl when static linking is used, there are no calls to the curl library in the auth_ephemeral module, or to socket() or connect().
So I don't see that this module can act as a client to the documented web service?
What am I failing to understand?
Thanks, Steve
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Carsten Bock -
Daniel-Constantin Mierla -
Hemanshu Vadehra -
Peter Dunkley -
Steve Davies