[Serusers] authentication recommnedations
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Mar 18 18:47:51 CET 2004
Hi!
I use this setup:
if (is_from_local() ) {
if (!proxy_authorize("", "subscriber")) {
xlog("L_ERR", "%is [%Tf]: %rm %fu -> %ru: bad credentials\n");
proxy_challenge("", "0");
break;
} else {
if (!check_from()) {
sl_send_reply("403", "cheating: user!=from");
xlog("L_ERR", "%is [%Tf]: %rm %fu -> %ru: authuser!=from ->break\n");
break;
};
};
xlog("L_INFO", "%is [%Tf]: %rm %fu -> %ru:successful authenticated\n");
setflag(2); # local user
} else {
if ((!is_uri_host_local()) ) {
if (is_present_hf("Route")) {
xlog("L_INFO", "%is [%Tf]: %rm %fu -> %ru: relaying allowed because
route header is present\n");
} else {
sl_send_reply("403", "we don't support relaying");
xlog("L_ERR", "%is [%Tf]: %rm %fu -> %ru: 403 relaying not allowed\n");
break;
};
};
};
As you see, you also have to verify, that the username in the
credentials is the same as in the From: header. This is done using the
check_from() method.
For register requests, you have to compare the auth-username with the
To: header. --> check_to()
regards,
Klaus
Ticknor.Scott at ic.gc.ca wrote:
> hey Everyone,
>
> me and my partner in the lab here have set up a very simple SER
> implementation. up to now we have been using digest authentication with
> mysql, and created users with serctl etc.
> it was nice to get it working and place some calls, we have a couple cisco
> 7960 phones as well as X-Lite clients. but in our tests we found that we
> could put *any* user name & password in the X-Lite config--and the calls
> would still succeed! the message console in X-Lite shows the 401
> unautourized response to REGISTER [which is to be expected] but then if we
> go ahead and dial...the other phone will ring.
>
> there must be an explanation. i see some people are using RADIUS for
> authentication; would a RADIUS implementation solve this problem? i cannot
> attach my ser.cfg just now...but it is almost completely stock anyway, the
> changes made were uncommenting the digest auth bits, and setting the domain
> name.
> ideas?
>
> scott t,
> DSi
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
>
More information about the sr-users
mailing list