Hello,
In my scenario with a Kamailio server, I have a VOIP client connecting to the server which, for some reasons, cannot calculate MD5 hashes but only SHA. In this situation, would it be possible to change the authentication algorithm by either modifying Kamailio scripts or writing an external module to do that?
As far as I know, the authentication response is calculated as follow (standard HTTP Digest authentication) :
HA1=MD5(username:realm:password)
HA2=MD5(method:digestURI)
response=MD5(HA1:nonce:HA2)
For that, I have to save ha1 and ha1b values in the DB with the SHA function directly (with a trigger for example), and then change the authentication method too. What is the best solution to do that? Does a module already exists?
Thank you!
Frederic Mathys System Integration & Validation
Hello,
to understand properly, do you need to have:
HA1=SHA(username:realm:password) HA2=SHA(method:digestURI) response=SHA(HA1:nonce:HA2)
Perhaps it can be done with config file scripting, if you are familiar with transformations and header manipulation. But I think it will be simpler to extend auth module to support different hashing algorithm.
The code for computing shaX is already in kamailio (used for shaX transformations), so the change in auth should be about advertising and detecting when the new algorithm has to be used.
Cheers, Daniel
On 06/05/15 16:28, Mathys Frédéric wrote:
Hello,
In my scenario with a Kamailio server, I have a VOIP client connecting to the server which, for some reasons, cannot calculate MD5 hashes but only SHA. In this situation, would it be possible to change the authentication algorithm by either modifying Kamailio scripts or writing an external module to do that?
As far as I know, the authentication response is calculated as follow (standard HTTP Digest authentication) :
HA1=MD5(username:realm:password)
HA2=MD5(method:digestURI)
response=MD5(HA1:nonce:HA2)
For that, I have to save ha1 and ha1b values in the DB with the SHA function directly (with a trigger for example), and then change the authentication method too.
What is the best solution to do that? Does a module already exists?
Thank you!
Frederic Mathys
System Integration & Validation
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello Daniel,
Thank you for your answer, this is exactly what I need. Modification of the auth module seems to be a better solution, but this lead to some questions for me...
- Could you explain a little bit how the auth module is working? Which files do I have to modify to change the hash method?
- If I used another auth_* module to get username / password, the modification in the auth module is enough for the www_authentication? In other words, the authentication is always done in this module? Even If I use auth_radius or auth_diameter or a self-made auth_* module?
Regards, Frederic
From: sr-users [mailto:sr-users-bounces@lists.sip-router.org] On Behalf Of Daniel-Constantin Mierla Sent: Wednesday 6 May 2015 16:44 To: Kamailio (SER) - Users Mailing List Subject: Re: [SR-Users] Kamailio authentication method
Hello,
to understand properly, do you need to have:
HA1=SHA(username:realm:password) HA2=SHA(method:digestURI) response=SHA(HA1:nonce:HA2)
Perhaps it can be done with config file scripting, if you are familiar with transformations and header manipulation. But I think it will be simpler to extend auth module to support different hashing algorithm.
The code for computing shaX is already in kamailio (used for shaX transformations), so the change in auth should be about advertising and detecting when the new algorithm has to be used.
Cheers, Daniel
On 06/05/15 16:28, Mathys Frédéric wrote: Hello,
In my scenario with a Kamailio server, I have a VOIP client connecting to the server which, for some reasons, cannot calculate MD5 hashes but only SHA. In this situation, would it be possible to change the authentication algorithm by either modifying Kamailio scripts or writing an external module to do that?
As far as I know, the authentication response is calculated as follow (standard HTTP Digest authentication) :
HA1=MD5(username:realm:password)
HA2=MD5(method:digestURI)
response=MD5(HA1:nonce:HA2)
For that, I have to save ha1 and ha1b values in the DB with the SHA function directly (with a trigger for example), and then change the authentication method too. What is the best solution to do that? Does a module already exists?
Thank you!
Frederic Mathys System Integration & Validation
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.orgmailto:sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
Hello,
On 07/05/15 09:49, Mathys Frédéric wrote:
Hello Daniel,
Thank you for your answer, this is exactly what I need. Modification of the auth module seems to be a better solution, but this lead to some questions for me…
Could you explain a little bit how the auth module isworking? Which files do I have to modify to change the hash method?
It is hard to remember by heart or explain here -- but in short, what I would do is to identify where the MD5 hashing is done and from there try to add an alternative for shaX.
If I used another auth_* module to get username / password,the modification in the auth module is enough for the www_authentication? In other words, the authentication is always done in this module? Even If I use auth_radius or auth_diameter or a self-made auth_* module?
Some of those modules might be touched as well, given, for example, that auth_db can already retrieve the hashed value from the database. IIRC, radius auhentication sends all the attributes for authentication to radius and radius server does all the computation for check.
As a first step, I would focus on auth module for pv_auth_check() which takes the password or the hashed value as parameter.
Cheers, Daniel
*From:*sr-users [mailto:sr-users-bounces@lists.sip-router.org] *On Behalf Of *Daniel-Constantin Mierla *Sent:* Wednesday 6 May 2015 16:44 *To:* Kamailio (SER) - Users Mailing List *Subject:* Re: [SR-Users] Kamailio authentication method
Hello,
to understand properly, do you need to have:
HA1=SHA(username:realm:password) HA2=SHA(method:digestURI) response=SHA(HA1:nonce:HA2)
Perhaps it can be done with config file scripting, if you are familiar with transformations and header manipulation. But I think it will be simpler to extend auth module to support different hashing algorithm.
The code for computing shaX is already in kamailio (used for shaX transformations), so the change in auth should be about advertising and detecting when the new algorithm has to be used.
Cheers, Daniel
On 06/05/15 16:28, Mathys Frédéric wrote:
Hello, In my scenario with a Kamailio server, I have a VOIP client connecting to the server which, for some reasons, cannot calculate MD5 hashes but only SHA. In this situation, would it be possible to change the authentication algorithm by either modifying Kamailio scripts or writing an external module to do that? As far as I know, the authentication response is calculated as follow (standard HTTP Digest authentication) : HA1=MD5(username:realm:password) HA2=MD5(method:digestURI) response=MD5(HA1:nonce:HA2) For that, I have to save ha1 and ha1b values in the DB with the SHA function directly (with a trigger for example), and then change the authentication method too. What is the best solution to do that? Does a module already exists? Thank you! Frederic Mathys System Integration & Validation _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users-- Daniel-Constantin Mierla http://twitter.com/#!/miconda http://twitter.com/#%21/miconda - http://www.linkedin.com/in/miconda Kamailio World Conference, May 27-29, 2015 Berlin, Germany - http://www.kamailioworld.com
Still on the subject, we are exploring the possibilities and one of them would be to use the diameter module. As stated in the documentation : "NOTE: diameter support was developed for DISC (DIameter Server Client project at http://developer.berlios.de/projects/disc/). This project seems to be no longer maintained and DIAMETER specifications were updated in the meantime. Thus, the module is obsolete and needs rework to be usable with opendiameter or other DIAMETER servers." Is it planned to update this module on your side on not?
One other solution would be to write our own module to connect to another server (which contains the users/passwords and calculate the HA1 and HA2 values), tcp layer would still be done by auth module. To do that, is there a spec on how to communicate with auth module? And any documentation on custom module development and deployment? The principle would be more or less the same as diameter, but maybe our server would not use radius nor diameter protocols.
By doing it, we try to reach two goals : use SHA instead of MD5 and increase the security of the user management by hosting it in a different way as Kamailio does.
Thank you, Frederic
From: sr-users [mailto:sr-users-bounces@lists.sip-router.org] On Behalf Of Daniel-Constantin Mierla Sent: Wednesday 6 May 2015 16:44 To: Kamailio (SER) - Users Mailing List Subject: Re: [SR-Users] Kamailio authentication method
Hello,
to understand properly, do you need to have:
HA1=SHA(username:realm:password) HA2=SHA(method:digestURI) response=SHA(HA1:nonce:HA2)
Perhaps it can be done with config file scripting, if you are familiar with transformations and header manipulation. But I think it will be simpler to extend auth module to support different hashing algorithm.
The code for computing shaX is already in kamailio (used for shaX transformations), so the change in auth should be about advertising and detecting when the new algorithm has to be used.
Cheers, Daniel
On 06/05/15 16:28, Mathys Frédéric wrote: Hello,
In my scenario with a Kamailio server, I have a VOIP client connecting to the server which, for some reasons, cannot calculate MD5 hashes but only SHA. In this situation, would it be possible to change the authentication algorithm by either modifying Kamailio scripts or writing an external module to do that?
As far as I know, the authentication response is calculated as follow (standard HTTP Digest authentication) :
HA1=MD5(username:realm:password)
HA2=MD5(method:digestURI)
response=MD5(HA1:nonce:HA2)
For that, I have to save ha1 and ha1b values in the DB with the SHA function directly (with a trigger for example), and then change the authentication method too. What is the best solution to do that? Does a module already exists?
Thank you!
Frederic Mathys System Integration & Validation
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.orgmailto:sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
Hello,
On 07/05/15 15:38, Mathys Frédéric wrote:
Still on the subject, we are exploring the possibilities and one of them would be to use the diameter module. As stated in the documentation :
“NOTE: diameter support was developed for DISC (DIameter Server Client project at http://developer.berlios.de/projects/disc/). This project seems to be no longer maintained and DIAMETER specifications were updated in the meantime. Thus, the module is obsolete and needs rework to be usable with opendiameter or other DIAMETER servers.”
Is it planned to update this module on your side on not?
the module might be (pretty) functional, but due to no real demand and lack of open source diameter servers, it was not proper maintained.
Note that there is another module that does diameter, named cdp, which is mainly used in IMS deployments -- this one is active and used.
One other solution would be to write our own module to connect to another server (which contains the users/passwords and calculate the HA1 and HA2 values), tcp layer would still be done by auth module. To do that, is there a spec on how to communicate with auth module? And any documentation on custom module development and deployment? The principle would be more or less the same as diameter, but maybe our server would not use radius nor diameter protocols.
Maybe for this case is better to use http to contact the server -- you can do an http query from kamailio.cfg using utils module (another module for http operations should be in a personal branch of Olle, something related to curl -- see all branches in our git repository).
Also, you may build a faster prototype using an embedded language (Lua, Perl, Python -- see the modules that have the name starting with app_ ).
By doing it, we try to reach two goals : use SHA instead of MD5 and increase the security of the user management by hosting it in a different way as Kamailio does.
Said in a previous email -- you can focus on auth module for pv_auth_check() function. You can fetch the password or its hashed variant via other connectors (e.g., ldap, sqlops) -- see next a tutorial about ldap:
- http://www.kamailio.org/wiki/tutorials/mini-howto-admin/ldap-user-auth
Cheers, Daniel
Thank you,
Frederic
*From:*sr-users [mailto:sr-users-bounces@lists.sip-router.org] *On Behalf Of *Daniel-Constantin Mierla *Sent:* Wednesday 6 May 2015 16:44 *To:* Kamailio (SER) - Users Mailing List *Subject:* Re: [SR-Users] Kamailio authentication method
Hello,
to understand properly, do you need to have:
HA1=SHA(username:realm:password) HA2=SHA(method:digestURI) response=SHA(HA1:nonce:HA2)
Perhaps it can be done with config file scripting, if you are familiar with transformations and header manipulation. But I think it will be simpler to extend auth module to support different hashing algorithm.
The code for computing shaX is already in kamailio (used for shaX transformations), so the change in auth should be about advertising and detecting when the new algorithm has to be used.
Cheers, Daniel
On 06/05/15 16:28, Mathys Frédéric wrote:
Hello, In my scenario with a Kamailio server, I have a VOIP client connecting to the server which, for some reasons, cannot calculate MD5 hashes but only SHA. In this situation, would it be possible to change the authentication algorithm by either modifying Kamailio scripts or writing an external module to do that? As far as I know, the authentication response is calculated as follow (standard HTTP Digest authentication) : HA1=MD5(username:realm:password) HA2=MD5(method:digestURI) response=MD5(HA1:nonce:HA2) For that, I have to save ha1 and ha1b values in the DB with the SHA function directly (with a trigger for example), and then change the authentication method too. What is the best solution to do that? Does a module already exists? Thank you! Frederic Mathys System Integration & Validation _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users-- Daniel-Constantin Mierla http://twitter.com/#!/miconda http://twitter.com/#%21/miconda - http://www.linkedin.com/in/miconda Kamailio World Conference, May 27-29, 2015 Berlin, Germany - http://www.kamailioworld.com
Another approach is to modify a Radius auth module in freeRadius or maybe it can be done via freeRadius configuration.
We have used Kamailio Radius integration successfully and the HA1 is stored in the Radius database. You would simply compute that as an SHA1 instead. HA2 is of course calculated dynamically by the Radius server - it might be that this can be configured to use SHA instead - might be worth a look.
Cheers Shane
From: sr-users [mailto:sr-users-bounces@lists.sip-router.org] On Behalf Of Mathys Frédéric Sent: Friday, 8 May 2015 1:38 a.m. To: miconda@gmail.com; Kamailio (SER) - Users Mailing List Subject: Re: [SR-Users] Kamailio authentication method
Still on the subject, we are exploring the possibilities and one of them would be to use the diameter module. As stated in the documentation : "NOTE: diameter support was developed for DISC (DIameter Server Client project at http://developer.berlios.de/projects/disc/). This project seems to be no longer maintained and DIAMETER specifications were updated in the meantime. Thus, the module is obsolete and needs rework to be usable with opendiameter or other DIAMETER servers." Is it planned to update this module on your side on not?
One other solution would be to write our own module to connect to another server (which contains the users/passwords and calculate the HA1 and HA2 values), tcp layer would still be done by auth module. To do that, is there a spec on how to communicate with auth module? And any documentation on custom module development and deployment? The principle would be more or less the same as diameter, but maybe our server would not use radius nor diameter protocols.
By doing it, we try to reach two goals : use SHA instead of MD5 and increase the security of the user management by hosting it in a different way as Kamailio does.
Thank you, Frederic
From: sr-users [mailto:sr-users-bounces@lists.sip-router.org] On Behalf Of Daniel-Constantin Mierla Sent: Wednesday 6 May 2015 16:44 To: Kamailio (SER) - Users Mailing List Subject: Re: [SR-Users] Kamailio authentication method
Hello,
to understand properly, do you need to have:
HA1=SHA(username:realm:password) HA2=SHA(method:digestURI) response=SHA(HA1:nonce:HA2)
Perhaps it can be done with config file scripting, if you are familiar with transformations and header manipulation. But I think it will be simpler to extend auth module to support different hashing algorithm.
The code for computing shaX is already in kamailio (used for shaX transformations), so the change in auth should be about advertising and detecting when the new algorithm has to be used.
Cheers, Daniel
On 06/05/15 16:28, Mathys Frédéric wrote: Hello,
In my scenario with a Kamailio server, I have a VOIP client connecting to the server which, for some reasons, cannot calculate MD5 hashes but only SHA. In this situation, would it be possible to change the authentication algorithm by either modifying Kamailio scripts or writing an external module to do that?
As far as I know, the authentication response is calculated as follow (standard HTTP Digest authentication) :
HA1=MD5(username:realm:password)
HA2=MD5(method:digestURI)
response=MD5(HA1:nonce:HA2)
For that, I have to save ha1 and ha1b values in the DB with the SHA function directly (with a trigger for example), and then change the authentication method too. What is the best solution to do that? Does a module already exists?
Thank you!
Frederic Mathys System Integration & Validation
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.orgmailto:sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
-
Daniel-Constantin Mierla -
Mathys Frédéric -
Shane Harrison