[Serusers] digest authentication without db

Francesco Fondelli francesco.fondelli at gmail.com
Wed Jun 1 13:09:23 CEST 2005 

Hello,

I'm new to SER and SIP as well so please forgive my
mistakes.
I'm trying to setup SER in order to forward calls to
a pool of pstn gateways. I want use digest authentication
for UAs but I cannot store userid and passwords on a db.

Basically I would like to do:

	if (!www_authorize("mydomain.com", "subscriber")) {
                 www_challenge("mydomain.com", "0");
                 break;
         };

getting userid and password from a text configuration file
which contains such infos. How can I do that?

I have written a ser cfg file and I would like someone tell me
if is ok. Is a mix of several different cfg files I have found
on the net. I'm sure is far to be ok :-)

Thank for your help.
Ciao

-------------------------------------------------------------------
# ----------- global configuration parameters ------------------------

#debug=3
debug=4
#fork=yes
fork=no
#log_stderror=no
log_stderror=yes


check_via=no	 # (cmd. line: -v)
dns=no           # (cmd. line: -r)
rev_dns=no       # (cmd. line: -R)
#port=5060

#children=4
fifo="/tmp/ser_fifo"

#uid=
#gid=

listen=192.168.1.114

# alias="mydomain.com"

loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/uri.so"


# ----------------- setting module-specific parameters ---------------

modparam("usrloc", "db_mode",   0)

# -------------------------  routing logic ---------------------------

route {
	# initial sanity checks -- messages with
	# max_forwards==0, or excessively long requests
	if (!mf_process_maxfwd_header("10")) {
		log("Too many hops\n");
		sl_send_reply("483","Too Many Hops");
		break;
	};
	if ( msg:len > max_len ) {
		log("Message too big\n");
		sl_send_reply("513", "Message too big");
		break;
	};

	# process requests for our domain (gws included)
	if (uri=~"[@:]mydomain\.com([;:].*)*" |
	    uri=~"@192.168.1.171([;:].*)*" |         #pstn gw1
	    uri=~"@192.168.1.172([;:].*)*"	|    #pstn gw2
	    uri=~"@192.168.1.173([;:].*)*" ) {       #pstn gw3

		log("Request is for mydomain.com\n");	

		# registers always MUST be authenticated to
		# avoid stealing incoming calls	
		if (method=="REGISTER") {

			log("Request is REGISTER\n");

                         if (!www_authorize("mydomain.com", "subscriber")) {
             			log("REGISTER has no credentials, sending challenge\n");
                                 www_challenge("mydomain.com", "0");
                                 break;
                         };

			# prohibit attempts to grab someone else's address
			# using someone else's valid credentials
			if (!check_to()) {
				log("Cheating attempt\n");
				sl_send_reply("401", "Unauthorized");
				break;
			};
				
			# update user location database (it should be in mem)
	       		log("REGISTER is authorized, saving location\n");
			save("location");
			break;
		};

		# now it's about PSTN destinations through our gateways
		if (uri=~"sip:[0-9]+ at .*") {
			# all PSTN destinations only for authenticated users
			# (GWs, which have no digest support, are authenticated
			# by its IP address)

			if (!(src_ip==192.168.1.171 | 	#pstn gw1
			      src_ip==192.168.1.172 | 	#pstn gw2
			      src_ip==192.168.1.173) & 	#pstn gw3
			      !(www_authorize("mydomain.com", "subscriber"))) {
				www_challenge("mydomain.com", "0");
				break;
			};
			
			# requests to gateways must be record-route because the GWs accept
			# only requests coming from our proxy
			if (method=="INVITE")
				record_route();

			# XXX: find the best gw using first part of telephone number and...

			rewritehostport("192.168.1.171:5060"); #172 or 173
		} else {
			# native SIP destinations are handled using our USRLOC DB
			# and are allowed only from gws
			if (src_ip==192.168.1.171 | 	#pstn gw1
			    src_ip==192.168.1.172 | 	#pstn gw2
			    src_ip==192.168.1.173) { 	#pstn gw3
				if (!lookup("location")) {
					log("Unable to lookup contact, sending 404\n");
					sl_send_reply("404", "Not Found");
					break;
				};
			} else {
				log("No native SIP destination allowed\n");
				sl_send_reply("403", "Permission denied");
				break;
			};
		};
         } else {
		# outbound requests are not allowed
		log("No outbound requests allowed\n");
		sl_send_reply("403", "Permission denied");
		break;
	};

	# and finally.. forward to current uri; use stateful forwarding; that
	# works reliably even if we forward from TCP to UDP
	if(!t_relay()) {
		sl_reply_error();
	};
}

More information about the sr-users mailing list