[sr-dev] git:master: auth: added new error code to auth API

Daniel-Constantin Mierla miconda at gmail.com
Tue Nov 15 08:11:01 CET 2011 

Hello,

actually nothing changed to the old functions. A new one was added to 
auth_db module, auth_check() that combines the www/proxy_auth* 
functions, and another one to auth module, auth_challenge() that 
combines internally www/proxy_challenge(). For now, auth_check() can do 
in addition a check of auth username against to/from header username.

So, nothing has changed to the old functions, backward compatibility is 
fully ensured, and I have no plan to touch them.

One of the purposes of the new function is to reduce the size of default 
config, by offering the behavior of common use case. The user check is 
done based on a parameter flag anyhow.

The next plan with this function is to bind to htable module (a matter 
of a module parameter) to count failed authentications per user and give 
the option to write a log message to alert and temporary disable 
authentication for users failing to authenticate several times in a row 
-- in other words, a way to protect against dictionary attacks. This can 
be achieved with config file scripting, but for new comers might not be 
that obvious how to do it, and in context of many such scanning attacks 
that happen lately, I found it interesting to just make an out of the 
box function for it.

Cheers,
Daniel

On 11/15/11 3:15 AM, Juha Heinanen wrote:
> Alex Balashov writes:
>
>> The problem, as you well know, is that not having the check allows a
>> user A to impersonate the identity of any other user B, as long as
>> user A has his own valid credentials for himself.
> yes, i well know it and therefore one needs to check if the user really
> owns the uri or not.  to make an automatic invalid check is in my opinion
> a very bad idea, since according to rfc3261 uri userpart does not have
> anything to do with user's authentication username.
>
> -- juha
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

-- 
Daniel-Constantin Mierla -- http://www.asipto.com
Kamailio Advanced Training, Dec 5-8, Berlin: http://asipto.com/u/kat
http://linkedin.com/in/miconda -- http://twitter.com/miconda

More information about the sr-dev mailing list