[Serusers] clarification about authentication

Iqbal iqbal at gigo.co.uk
Tue Aug 30 13:22:32 CEST 2005 

tks, that cleared it up ...I think :-), interesting that there are so 
many levels of auth for a call, am sure alot of setups have a few open 
holes in them

Iqbal

Greger V. Teigre wrote:

> A quick reply without verifying, so no guarantees on the quality of 
> the answers...
>
>> www_authorize , will this always fail, ? because it seems to and then 
>> a www.challenge is sent.
>
>
> If the message has included digest credentials and the nonce value has 
> not expired, it will not fail, but just verify the credentials without 
> an extra authentication.
>
>> In www.challenge, is it okay to leave the realm blank, as I have 
>> done, or is it better practice to have the same realm as that in 
>> www_authorise("", "1");
>
>
> I think leaving it blank (both www_authorize and challenge) is better 
> if you have multiple domains, as the realm will be implicit.  However, 
> I believe you should either set both or none.
>
>> check_to should only be run if auth is correct above , is that correct?
>
>
> That's correct.
>
>> Why run check_to at all, ?
>
>
> Because the username and authorization can be set to different values. 
> As the username is registered as the location, you can for example use 
> email address for authentication and a phone number for username. The 
> user will then be accessible through the phone number, but not email 
> address. However, the user may configure the device with ANY phone 
> number unless you check that the username is allowed for this 
> particular authentication user.  This check is what check_to enforces 
> by making sure that authentication user and username are equal.
>
>> and then u have proxy_auth and proxy_challenge, and is_from_local and 
>> is_uri_local, surely all these dont need to be used as checks in 
>> INVITE or do they.
>
>
> The first two are for security, the last two are for routing:
> is_from_local checks the caller's domain part agains the DB of local 
> domains. If you use domain when authentication the INVITE, you don't 
> need is_from_local as a security measure, but rather as a way to 
> detect messages from local UACs.
> is_uri_local does the same for the destination (callee) to determine 
> whether it's local.
>
> g-)
>
> .
>

More information about the sr-users mailing list