Hello! My problem is I need to do users authentication through API. So I need to replace
if (!www_authenticate("$td", "subscriber")) { www_challenge("$td", "1"); }
With
if (!my_auth_script()) { www_challenge("$td", "1"); }
The main problem is - how can I grab or compare users password? I know nonce, which I understand is MD5 salt. Can I, for example, grab users password from API, then grab the MD5 string and the nonce user sent me, calculate MD5 on base of API password and nonce - and then compare MD5 strings sent by user and calculated?
UPD: If upper method is possible - I assume I can check if message has Auth header using
if (has_credentials("myrealm")) { ... } Can you please specify how to grab it?
2015-11-13 15:08 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
Hello! My problem is I need to do users authentication through API. So I need to replace
if (!www_authenticate("$td", "subscriber")) { www_challenge("$td", "1"); }
With
if (!my_auth_script()) { www_challenge("$td", "1"); }
The main problem is - how can I grab or compare users password? I know nonce, which I understand is MD5 salt. Can I, for example, grab users password from API, then grab the MD5 string and the nonce user sent me, calculate MD5 on base of API password and nonce - and then compare MD5 strings sent by user and calculated?
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
Hello,
if your script can return the password for the user to Kamailio, you could use the pv_*_authenticate functions. You can pass the password to check against to these functions in a pseudo variable.
http://www.kamailio.net/docs/modules/4.3.x/modules/auth.html#auth.f.pv_www_a...
Best Regards, Sebastian
On Fri, Nov 13, 2015 at 2:14 PM, Alexandru Covalschi 568691@gmail.com wrote:
UPD: If upper method is possible - I assume I can check if message has Auth header using
if (has_credentials("myrealm")) { ... } Can you please specify how to grab it?
2015-11-13 15:08 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
Hello! My problem is I need to do users authentication through API. So I need to replace
if (!www_authenticate("$td", "subscriber")) { www_challenge("$td", "1"); }
With
if (!my_auth_script()) { www_challenge("$td", "1"); }
The main problem is - how can I grab or compare users password? I know nonce, which I understand is MD5 salt. Can I, for example, grab users password from API, then grab the MD5 string and the nonce user sent me, calculate MD5 on base of API password and nonce - and then compare MD5 strings sent by user and calculated?
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Thanks for your reply! But the problem is - I need to provide to API user's login and password. Kamailio doesn't know them. So my idea was to transmit to API the salt and encrypted password. Would that work? I see it that way 1. User sends register request. 2. Kamailio sends to API salt and ecnr.passwd 3. API recalculates MD5 on its side and compares with encr.passwd 4. Sends OK if it's ok, huh 5. I receive OK from API and send simple 200 OK to user
Do you see any logical mistakes here? Do I need some speacial 200 OK to approve registration, or simple send_reply("401", "OK"); is enough?
2015-11-13 15:21 GMT+02:00 Sebastian Damm damm@sipgate.de:
Hello,
if your script can return the password for the user to Kamailio, you could use the pv_*_authenticate functions. You can pass the password to check against to these functions in a pseudo variable.
http://www.kamailio.net/docs/modules/4.3.x/modules/auth.html#auth.f.pv_www_a...
Best Regards, Sebastian
On Fri, Nov 13, 2015 at 2:14 PM, Alexandru Covalschi 568691@gmail.com wrote:
UPD: If upper method is possible - I assume I can check if message has Auth header using
if (has_credentials("myrealm")) { ... } Can you please specify how to grab it?
2015-11-13 15:08 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
Hello! My problem is I need to do users authentication through API. So I need to replace
if (!www_authenticate("$td", "subscriber")) { www_challenge("$td", "1"); }
With
if (!my_auth_script()) { www_challenge("$td", "1"); }
The main problem is - how can I grab or compare users password? I know nonce, which I understand is MD5 salt. Can I, for example, grab users password from API, then grab the MD5 string and the nonce user sent me, calculate MD5 on base of API password and nonce - and then compare MD5 strings sent by user and calculated?
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
simple send_reply("200", "OK");, sorry
2015-11-13 16:02 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
Thanks for your reply! But the problem is - I need to provide to API user's login and password. Kamailio doesn't know them. So my idea was to transmit to API the salt and encrypted password. Would that work? I see it that way
- User sends register request.
- Kamailio sends to API salt and ecnr.passwd
- API recalculates MD5 on its side and compares with encr.passwd
- Sends OK if it's ok, huh
- I receive OK from API and send simple 200 OK to user
Do you see any logical mistakes here? Do I need some speacial 200 OK to approve registration, or simple send_reply("401", "OK"); is enough?
2015-11-13 15:21 GMT+02:00 Sebastian Damm damm@sipgate.de:
Hello,
if your script can return the password for the user to Kamailio, you could use the pv_*_authenticate functions. You can pass the password to check against to these functions in a pseudo variable.
http://www.kamailio.net/docs/modules/4.3.x/modules/auth.html#auth.f.pv_www_a...
Best Regards, Sebastian
On Fri, Nov 13, 2015 at 2:14 PM, Alexandru Covalschi 568691@gmail.com wrote:
UPD: If upper method is possible - I assume I can check if message has Auth header using
if (has_credentials("myrealm")) { ... } Can you please specify how to grab it?
2015-11-13 15:08 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
Hello! My problem is I need to do users authentication through API. So I need to replace
if (!www_authenticate("$td", "subscriber")) { www_challenge("$td", "1"); }
With
if (!my_auth_script()) { www_challenge("$td", "1"); }
The main problem is - how can I grab or compare users password? I know nonce, which I understand is MD5 salt. Can I, for example, grab users password from API, then grab the MD5 string and the nonce user sent me, calculate MD5 on base of API password and nonce - and then compare MD5 strings sent by user and calculated?
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
So it should be like
... if (!has_credentials("myrealm")) { www_challenge("$td", "1"); }
else {
if (!my_script()){
sl_send_reply("401", "Not Authorized"); }
}
...
2015-11-13 16:13 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
simple send_reply("200", "OK");, sorry
2015-11-13 16:02 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
Thanks for your reply! But the problem is - I need to provide to API user's login and password. Kamailio doesn't know them. So my idea was to transmit to API the salt and encrypted password. Would that work? I see it that way
- User sends register request.
- Kamailio sends to API salt and ecnr.passwd
- API recalculates MD5 on its side and compares with encr.passwd
- Sends OK if it's ok, huh
- I receive OK from API and send simple 200 OK to user
Do you see any logical mistakes here? Do I need some speacial 200 OK to approve registration, or simple send_reply("401", "OK"); is enough?
2015-11-13 15:21 GMT+02:00 Sebastian Damm damm@sipgate.de:
Hello,
if your script can return the password for the user to Kamailio, you could use the pv_*_authenticate functions. You can pass the password to check against to these functions in a pseudo variable.
http://www.kamailio.net/docs/modules/4.3.x/modules/auth.html#auth.f.pv_www_a...
Best Regards, Sebastian
On Fri, Nov 13, 2015 at 2:14 PM, Alexandru Covalschi 568691@gmail.com wrote:
UPD: If upper method is possible - I assume I can check if message has Auth header using
if (has_credentials("myrealm")) { ... } Can you please specify how to grab it?
2015-11-13 15:08 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
Hello! My problem is I need to do users authentication through API. So I need to replace
if (!www_authenticate("$td", "subscriber")) { www_challenge("$td", "1"); }
With
if (!my_auth_script()) { www_challenge("$td", "1"); }
The main problem is - how can I grab or compare users password? I know nonce, which I understand is MD5 salt. Can I, for example, grab users password from API, then grab the MD5 string and the nonce user sent me, calculate MD5 on base of API password and nonce - and then compare MD5 strings sent by user and calculated?
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
Hello,
it't been a while since I worked with external scripts, but you can exec external scripts. See: http://www.kamailio.net/docs/modules/4.3.x/modules/exec.html
The documentation says, you can access header fields of the packet via environment variables. So you can get the WWW-Authorize header into your script, extract the needed fields and send them to the API. The API then should be able to calculate the response again according to the Digest Authentication rules with the supplied information and the plain password.
Best Regards, Sebastian
On Fri, Nov 13, 2015 at 3:13 PM, Alexandru Covalschi 568691@gmail.com wrote:
simple send_reply("200", "OK");, sorry
2015-11-13 16:02 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
Thanks for your reply! But the problem is - I need to provide to API user's login and password. Kamailio doesn't know them. So my idea was to transmit to API the salt and encrypted password. Would that work? I see it that way
- User sends register request.
- Kamailio sends to API salt and ecnr.passwd
- API recalculates MD5 on its side and compares with encr.passwd
- Sends OK if it's ok, huh
- I receive OK from API and send simple 200 OK to user
Do you see any logical mistakes here? Do I need some speacial 200 OK to approve registration, or simple send_reply("401", "OK"); is enough?
2015-11-13 15:21 GMT+02:00 Sebastian Damm damm@sipgate.de:
Hello,
if your script can return the password for the user to Kamailio, you could use the pv_*_authenticate functions. You can pass the password to check against to these functions in a pseudo variable.
http://www.kamailio.net/docs/modules/4.3.x/modules/auth.html#auth.f.pv_www_a...
Best Regards, Sebastian
On Fri, Nov 13, 2015 at 2:14 PM, Alexandru Covalschi 568691@gmail.com wrote:
UPD: If upper method is possible - I assume I can check if message has Auth header using
if (has_credentials("myrealm")) { ... } Can you please specify how to grab it?
2015-11-13 15:08 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
Hello! My problem is I need to do users authentication through API. So I need to replace
if (!www_authenticate("$td", "subscriber")) { www_challenge("$td", "1"); }
With
if (!my_auth_script()) { www_challenge("$td", "1"); }
The main problem is - how can I grab or compare users password? I know nonce, which I understand is MD5 salt. Can I, for example, grab users password from API, then grab the MD5 string and the nonce user sent me, calculate MD5 on base of API password and nonce - and then compare MD5 strings sent by user and calculated?
What if I don't need a plaintext password on Kamailio? I mean, I don't want to user pv_www_authenticate or other auth functions again - I need to fully control AUTH on API. Is it ok to just send 200 OK to client if API tells me that password is ok?
2015-11-13 16:39 GMT+02:00 Sebastian Damm damm@sipgate.de:
Hello,
it't been a while since I worked with external scripts, but you can exec external scripts. See: http://www.kamailio.net/docs/modules/4.3.x/modules/exec.html
The documentation says, you can access header fields of the packet via environment variables. So you can get the WWW-Authorize header into your script, extract the needed fields and send them to the API. The API then should be able to calculate the response again according to the Digest Authentication rules with the supplied information and the plain password.
Best Regards, Sebastian
On Fri, Nov 13, 2015 at 3:13 PM, Alexandru Covalschi 568691@gmail.com wrote:
simple send_reply("200", "OK");, sorry
2015-11-13 16:02 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
Thanks for your reply! But the problem is - I need to provide to API user's login and password. Kamailio doesn't know them. So my idea was to transmit to API the salt and encrypted password. Would that work? I see it that way
- User sends register request.
- Kamailio sends to API salt and ecnr.passwd
- API recalculates MD5 on its side and compares with encr.passwd
- Sends OK if it's ok, huh
- I receive OK from API and send simple 200 OK to user
Do you see any logical mistakes here? Do I need some speacial 200 OK to approve registration, or simple send_reply("401", "OK"); is enough?
2015-11-13 15:21 GMT+02:00 Sebastian Damm damm@sipgate.de:
Hello,
if your script can return the password for the user to Kamailio, you could use the pv_*_authenticate functions. You can pass the password to check against to these functions in a pseudo variable.
http://www.kamailio.net/docs/modules/4.3.x/modules/auth.html#auth.f.pv_www_a...
Best Regards, Sebastian
On Fri, Nov 13, 2015 at 2:14 PM, Alexandru Covalschi 568691@gmail.com wrote:
UPD: If upper method is possible - I assume I can check if message has Auth header using
if (has_credentials("myrealm")) { ... } Can you please specify how to grab it?
2015-11-13 15:08 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
Hello! My problem is I need to do users authentication through API. So I need to replace
if (!www_authenticate("$td", "subscriber")) { www_challenge("$td", "1"); }
With
if (!my_auth_script()) { www_challenge("$td", "1"); }
The main problem is - how can I grab or compare users password? I know nonce, which I understand is MD5 salt. Can I, for example, grab users password from API, then grab the MD5 string and the nonce user sent me, calculate MD5 on base of API password and nonce - and then compare MD5 strings sent by user and calculated?
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On Fri, Nov 13, 2015 at 3:43 PM, Alexandru Covalschi 568691@gmail.com wrote:
What if I don't need a plaintext password on Kamailio? I mean, I don't want to user pv_www_authenticate or other auth functions again - I need to fully control AUTH on API. Is it ok to just send 200 OK to client if API tells me that password is ok?
You don't need to use pv_*_authenticate. This is just an internal function which tells you, whether your user supplied correct credentials or not. You can replace it by checking the return code or output of the script and then continue in your dialplan. You could then call save() from the registrar module, which automatically sends a 200 OK to your user (unless you explicitly prevent it from doing so).
Sebastian
Many thanks for you help Sebastian!
2015-11-13 19:13 GMT+02:00 Sebastian Damm damm@sipgate.de:
On Fri, Nov 13, 2015 at 3:43 PM, Alexandru Covalschi 568691@gmail.com wrote:
What if I don't need a plaintext password on Kamailio? I mean, I don't want to user pv_www_authenticate or other auth functions again - I need to fully control AUTH on API. Is it ok to just send 200 OK to client if API tells me that password is ok?
You don't need to use pv_*_authenticate. This is just an internal function which tells you, whether your user supplied correct credentials or not. You can replace it by checking the return code or output of the script and then continue in your dialplan. You could then call save() from the registrar module, which automatically sends a 200 OK to your user (unless you explicitly prevent it from doing so).
Sebastian
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Well, reopening that thread seaking for some help again :( The solution is working pretty nice, and my config looks like that # authenticate requests if has_credentials("****"){ $var(y) = @msg.header.Authorization; xlog("$var(y)"); exec_avp("/etc/kamailio/login.py '$var(y)' '$rm'", "$avp(s:test)"); xlog("$avp(s:test)"); }
if ($avp(s:test) != "1") { www_challenge(****", "1"); exit; }
login.py returns 1 if creds are OK and 0 if no. Now I'm seeking help with such question - as I understand, currently anyone can register or auth his requests by using same Authorization header for all purposes. So, I mean, someone can grab Auth header from the user's packet and just use it to dig in the server. How to avoid that? As I understood it's implemented in Kamailio. Can you please tell me? Or give a link to RFC/doc where this is described? As I understood, I'll need to implement that in my script, or maybe I can use some built-it functions?
2015-11-13 19:52 GMT+02:00 Alexandru Covalschi 568691@gmail.com:
Many thanks for you help Sebastian!
2015-11-13 19:13 GMT+02:00 Sebastian Damm damm@sipgate.de:
On Fri, Nov 13, 2015 at 3:43 PM, Alexandru Covalschi 568691@gmail.com wrote:
What if I don't need a plaintext password on Kamailio? I mean, I don't want to user pv_www_authenticate or other auth functions again - I need to fully control AUTH on API. Is it ok to just send 200 OK to client if API tells me that password is ok?
You don't need to use pv_*_authenticate. This is just an internal function which tells you, whether your user supplied correct credentials or not. You can replace it by checking the return code or output of the script and then continue in your dialplan. You could then call save() from the registrar module, which automatically sends a 200 OK to your user (unless you explicitly prevent it from doing so).
Sebastian
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
On Tuesday 24 November 2015 18:32:49 Alexandru Covalschi wrote:
Now I'm seeking help with such question - as I understand, currently anyone can register or auth his requests by using same Authorization header for all purposes. So, I mean, someone can grab Auth header from the user's packet and just use it to dig in the server. How to avoid that? As I understood it's implemented in Kamailio. Can you please tell me? Or give a link to RFC/doc where this is described? As I understood, I'll need to implement that in my script, or maybe I can use some built-it functions?
That is what the nonce in the challenge/response is for.
https://tools.ietf.org/html/rfc2617#section-4.3
You'll have to handle that in your script. You have to check how often kamailio generates new nonces: http://kamailio.org/docs/modules/devel/modules/auth.html#auth.p.nonce_count http://kamailio.org/docs/modules/devel/modules/auth.html#auth.p.one_time_non... since you might decline a response in your script but have the www_challenge producte the same challenge to the client.
-
Alexandru Covalschi -
Daniel Tryba -
Sebastian Damm