[SR-Users] Authentication Feature Question
Ali Jawad
ali.jawad at splendor.net
Tue Jan 3 17:13:40 CET 2012
Hi
Please see the below, thanks !
interface: eth1 (xx.xx.xx.0/255.255.255.0)
match: support1
U +6.698682 yy.yy.yy.146:18832 -> xx.xx.xx.51:5060
REGISTER sip:register.domain.com SIP/2.0.
Via: SIP/2.0/UDP
192.168.0.191:18832;branch=z9hG4bK-d8754z-05164a466600837d-1---d8754z-;rport.
Max-Forwards: 70.
Contact: <sip:support1 at 192.168.0.191:18832;rinstance=f8e37e314657e0d7;transport=udp>.
To: "Test Ast"<sip:support1 at register.domain.com>.
From: "Test Ast"<sip:support1 at register.domain.com>;tag=f710b930.
Call-ID: Y2RmNmFhZWM2MzM5OWQ5ODEwNjc0NzJiNGE2MmQzYjY..
CSeq: 1 REGISTER.
Expires: 3600.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
SUBSCRIBE, INFO.
User-Agent: eyeBeam release 1102q stamp 51814.
Content-Length: 0.
.
U +0.005245 xx.xx.xx.51:5060 -> yy.yy.yy.146:18832
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP
192.168.0.191:18832;branch=z9hG4bK-d8754z-05164a466600837d-1---d8754z-;rport=18832;received=yy.yy.yy.146.
To: "Test Ast"<sip:support1 at register.domain.com>;tag=e597ca73bdb255490f0cefa03b2fda82.3053.
From: "Test Ast"<sip:support1 at register.domain.com>;tag=f710b930.
Call-ID: Y2RmNmFhZWM2MzM5OWQ5ODEwNjc0NzJiNGE2MmQzYjY..
CSeq: 1 REGISTER.
WWW-Authenticate: Digest realm="domain.com",
nonce="TwMpUE8DKCSt/IP7jcNRMbCT4TnbqlHl".
Server: kamailio (3.2.1 (i386/linux)).
Content-Length: 0.
.
U +0.428042 yy.yy.yy.146:18832 -> xx.xx.xx.51:5060
REGISTER sip:register.domain.com SIP/2.0.
Via: SIP/2.0/UDP
192.168.0.191:18832;branch=z9hG4bK-d8754z-fc633b21627dca6d-1---d8754z-;rport.
Max-Forwards: 70.
Contact: <sip:support1 at 192.168.0.191:18832;rinstance=f8e37e314657e0d7;transport=udp>.
To: "Test Ast"<sip:support1 at register.domain.com>.
From: "Test Ast"<sip:support1 at register.domain.com>;tag=f710b930.
Call-ID: Y2RmNmFhZWM2MzM5OWQ5ODEwNjc0NzJiNGE2MmQzYjY..
CSeq: 2 REGISTER.
Expires: 3600.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
SUBSCRIBE, INFO.
User-Agent: eyeBeam release 1102q stamp 51814.
Authorization: Digest
username="support1",realm="domain.com",nonce="TwMpUE8DKCSt/IP7jcNRMbCT4TnbqlHl",uri="sip:register.domain.com",response="6122245b77e2df0b90179304464341e7",algorithm=MD5.
Content-Length: 0.
.
U +0.005146 xx.xx.xx.51:5060 -> yy.yy.yy.146:18832
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP
192.168.0.191:18832;branch=z9hG4bK-d8754z-fc633b21627dca6d-1---d8754z-;rport=18832;received=yy.yy.yy.146.
To: "Test Ast"<sip:support1 at register.domain.com>;tag=e597ca73bdb255490f0cefa03b2fda82.fce3.
From: "Test Ast"<sip:support1 at register.domain.com>;tag=f710b930.
Call-ID: Y2RmNmFhZWM2MzM5OWQ5ODEwNjc0NzJiNGE2MmQzYjY..
CSeq: 2 REGISTER.
WWW-Authenticate: Digest realm="domain.com",
nonce="TwMpUE8DKCSt/IP7jcNRMbCT4TnbqlHl".
Server: kamailio (3.2.1 (i386/linux)).
Content-Length: 0.
.
[root at kam-rtp-100-51 mysql]# mail alijawad1 at gmail.com < output.txt
[root at kam-rtp-100-51 mysql]# ngrep -W byline -T support1 -q -d eth1
interface: eth1 (xx.xx.xx.0/255.255.255.0)
match: support1
U +5.321505 yy.yy.yy.146:63610 -> xx.xx.xx.51:5060
REGISTER sip:register.domain.com SIP/2.0.
Via: SIP/2.0/UDP
192.168.0.191:63610;branch=z9hG4bK-d8754z-fb28723daa3f772d-1---d8754z-;rport.
Max-Forwards: 70.
Contact: <sip:support1 at 192.168.0.191:63610;rinstance=782b19a2fccc665f;transport=udp>.
To: "Test Ast"<sip:support1 at register.domain.com>.
From: "Test Ast"<sip:support1 at register.domain.com>;tag=ba705453.
Call-ID: MzM4Y2IwNzQzZGYwOGI3ZTY1YzYxZjcyZGJjMTMwODI..
CSeq: 1 REGISTER.
Expires: 3600.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
SUBSCRIBE, INFO.
User-Agent: eyeBeam release 1102q stamp 51814.
Content-Length: 0.
.
U +0.004782 xx.xx.xx.51:5060 -> yy.yy.yy.146:63610
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP
192.168.0.191:63610;branch=z9hG4bK-d8754z-fb28723daa3f772d-1---d8754z-;rport=63610;received=yy.yy.yy.146.
To: "Test Ast"<sip:support1 at register.domain.com>;tag=e597ca73bdb255490f0cefa03b2fda82.6b98.
From: "Test Ast"<sip:support1 at register.domain.com>;tag=ba705453.
Call-ID: MzM4Y2IwNzQzZGYwOGI3ZTY1YzYxZjcyZGJjMTMwODI..
CSeq: 1 REGISTER.
WWW-Authenticate: Digest realm="domain.com",
nonce="TwMpsU8DKIX4lvWDwPsV4iUhCl+iOAdk".
Server: kamailio (3.2.1 (i386/linux)).
Content-Length: 0.
.
U +0.400706 yy.yy.yy.146:63610 -> xx.xx.xx.51:5060
REGISTER sip:register.domain.com SIP/2.0.
Via: SIP/2.0/UDP
192.168.0.191:63610;branch=z9hG4bK-d8754z-81517d296225234f-1---d8754z-;rport.
Max-Forwards: 70.
Contact: <sip:support1 at 192.168.0.191:63610;rinstance=782b19a2fccc665f;transport=udp>.
To: "Test Ast"<sip:support1 at register.domain.com>.
From: "Test Ast"<sip:support1 at register.domain.com>;tag=ba705453.
Call-ID: MzM4Y2IwNzQzZGYwOGI3ZTY1YzYxZjcyZGJjMTMwODI..
CSeq: 2 REGISTER.
Expires: 3600.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
SUBSCRIBE, INFO.
User-Agent: eyeBeam release 1102q stamp 51814.
Authorization: Digest
username="support1",realm="domain.com",nonce="TwMpsU8DKIX4lvWDwPsV4iUhCl+iOAdk",uri="sip:register.domain.com",response="4bfd80b0b836c20b748ee19a1c886284",algorithm=MD5.
Content-Length: 0.
.
U +0.005302 xx.xx.xx.51:5060 -> yy.yy.yy.146:63610
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP
192.168.0.191:63610;branch=z9hG4bK-d8754z-81517d296225234f-1---d8754z-;rport=63610;received=yy.yy.yy.146.
To: "Test Ast"<sip:support1 at register.domain.com>;tag=e597ca73bdb255490f0cefa03b2fda82.2f76.
From: "Test Ast"<sip:support1 at register.domain.com>;tag=ba705453.
Call-ID: MzM4Y2IwNzQzZGYwOGI3ZTY1YzYxZjcyZGJjMTMwODI..
CSeq: 2 REGISTER.
WWW-Authenticate: Digest realm="domain.com",
nonce="TwMpsU8DKIX4lvWDwPsV4iUhCl+iOAdk".
Server: kamailio (3.2.1 (i386/linux)).
Content-Length: 0.
.
On Tue, Jan 3, 2012 at 6:08 PM, Daniel-Constantin Mierla
<miconda at gmail.com> wrote:
> Hello,
>
> I need the entire flow for registration, including the 401 reply and the
> following REGISTER request.
>
> Cheers,
> Daniel
>
>
> On 1/3/12 5:02 PM, Ali Jawad wrote:
>>
>> Hi
>> Please see the ngrep below, please note that if I use in the db
>> register.domain.com and generate a hash against it for HA1 it
>> works,but then the user cant logon to register2.domain.com
>>
>>
>> U +10.630576 xx.yy.yy.yy:20020 -> xx.xx.xx.xx:5060
>> REGISTER sip:register.domain SIP/2.0.
>> Via: SIP/2.0/UDP
>>
>> 192.168.0.191:20020;branch=z9hG4bK-d8754z-af65a442980c375f-1---d8754z-;rport.
>> Max-Forwards: 70.
>>
>> Contact:<sip:support1 at 192.168.0.191:20020;rinstance=4009190a4e109ac6;transport=udp>.
>> To: "Test Ast"<sip:support1 at register.domain>.
>> From: "Test Ast"<sip:support1 at register.domain>;tag=976bb004.
>> Call-ID: MDFmZDU2ZTI2YjJjMGNlMGFmOTIzMWFmZGQ1ZTNjMDE..
>> CSeq: 1 REGISTER.
>> Expires: 3600.
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>> SUBSCRIBE, INFO.
>> User-Agent: eyeBeam release 1102q stamp 51814.
>> Content-Length: 0.
>>
>> On Tue, Jan 3, 2012 at 5:58 PM, Daniel-Constantin Mierla
>> <miconda at gmail.com> wrote:
>>>
>>> Hello,
>>>
>>>
>>> On 1/3/12 4:48 PM, Ali Jawad wrote:
>>>>
>>>> Hi Daniel
>>>>
>>>> Please see
>>>>
>>>> 5(18649) DEBUG:<core> [db_res.c:184]: allocate 8 bytes for rows at
>>>> 0xb7b78d74
>>>> 5(18649) DEBUG:<core> [db_row.c:119]: allocate 20 bytes for row
>>>> values at 0xb7b78dac
>>>> 5(18649) DEBUG:<core> [db_val.c:117]: converting STRING
>>>> [6f966cd9c628f14cdc20172f96a4d065]
>>>> 5(18649) DEBUG: auth [api.c:210]: check_response: Our result =
>>>> '6f95e6235edca0b7765042ef119fd83b'
>>>> 5(18649) DEBUG: auth [api.c:220]: check_response: Authorization failed
>>>> 5(18649) DEBUG:<core> [db_res.c:81]: freeing 1 columns
>>>> 5(18649) DEBUG:<core> [db_res.c:85]: freeing RES_NAMES[0] at
>>>> 0xb7b78d3c
>>>> 5(18649) DEBUG:<core> [db_res.c:94]: freeing result names at
>>>> 0xb7b78bfc
>>>> 5(18649) DEBUG:<core> [db_res.c:99]: freeing result types at
>>>> 0xb7b78c64
>>>> 5(18649) DEBUG:<core> [db_res.c:54]: freeing 1 rows
>>>> 5(18649) DEBUG:<core> [db_row.c:97]: freeing row values at
>>>> 0xb7b78dac
>>>> 5(18649) DEBUG:<core> [db_res.c:62]: freeing rows at 0xb7b78d74
>>>> 5(18649) DEBUG:<core> [db_res.c:136]: freeing result set at
>>>> 0xb7b78bb0
>>>> 5(18649) DEBUG: auth [challenge.c:102]: build_challenge_hf:
>>>> realm='nymgo.com'
>>>> 5(18649) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate:
>>>> Digest realm="domain.com", nonce="TwMcuk8DG47SLxatlNdZfyfR8p3OiyAE"
>>>> '
>>>>
>>>> I rebuilt the hashes against domain.com and then tried to connect to
>>>> sip1.domain.com and sip2.domain.com and sip3.domain.com with all of
>>>> the having
>>>>
>>>>
>>>> # ----- auth_db params -----
>>>> #!ifdef WITH_AUTH
>>>> modparam("auth_db", "db_url", DBURL)
>>>> modparam("auth_db", "calculate_ha1", 0 )
>>>> modparam("auth_db", "password_column", "ha1")
>>>> modparam("auth_db", "load_credentials", "")
>>>> modparam("auth_db", "use_domain", MULTIDOMAIN)
>>>>
>>>> And in the routing process :
>>>>
>>>> if (!www_authorize("domain.com", "subscriber"))
>>>> {
>>>>
>>>> www_challenge("domain.com", "0");
>>>> exit;
>>>> }
>>>>
>>>>
>>>> +++++++++++++
>>>>
>>>> My point is that the hashes are caculated from user:doman:pwd which
>>>> are extracted from the SIP packet and in this case the domains are
>>>> sip1,sip2,sip3 while the hashes stored in the database are generated
>>>> against domain.com
>>>>
>>>> If " ha1 is actually hash over 'user:realm:pwd' " shouldn't I have to
>>>> set the domain/realm in the config file ?
>>>
>>>
>>> the first parameter in www_authorize and www_challenge functions is the
>>> realm and it is used to build the digest response.
>>>
>>> Is your phone putting user at domain in authorization header? Can you paste
>>> here the ngrep of registration?
>>>
>>> Cheers,
>>> Daniel
>>>
>>>
>>>> I might be wrong....thanks for the help so far.
>>>>
>>>> Regards
>>>>
>>>> On Tue, Jan 3, 2012 at 5:15 PM, Daniel-Constantin Mierla
>>>> <miconda at gmail.com> wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>>
>>>>> On 1/3/12 4:12 PM, Ali Jawad wrote:
>>>>>>
>>>>>> Hi Daniel
>>>>>> This certainly makes sense, I will try it in a few mins, but what I
>>>>>> observed at Debug Level 3 is that Hash is calculated before
>>>>>> www_authenticate is executed and it shows HA comparison failed, if I
>>>>>> do use domain.com instead of $fd and use $domain.com in db domain
>>>>>> field and build HA1 filed based on that, wont Kamailio still try to
>>>>>> build the HA1 hash which it will compare form user:domain:pwd where
>>>>>> domain is fed in to the hash function from the header of the SIP
>>>>>> packet ?
>>>>>
>>>>>
>>>>> the ha1 is actually hash over 'user:realm:pwd' -- it is just common
>>>>> practice
>>>>> to use the domain as realm, since realm should be a unique token to
>>>>> identify
>>>>> the service, but it can be any random string. realm is given as
>>>>> parameter
>>>>> to auth functions in kamailio.cfg
>>>>>
>>>>> Cheers,
>>>>> Daniel
>>>>>
>>>>>
>>>>>> Regards
>>>>>>
>>>>>> On Tue, Jan 3, 2012 at 5:07 PM, Daniel-Constantin Mierla
>>>>>> <miconda at gmail.com> wrote:
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> you can simply use 'domain.com' as realm parameter to authentication
>>>>>>> function instead of $fd. Also build ha1 and ha1b with domain.com and
>>>>>>> then
>>>>>>> you are safe no matter which sip server is used.
>>>>>>>
>>>>>>> Of course you can build the realm by striping first token before '.'
>>>>>>> in
>>>>>>> $fd
>>>>>>> and pass it to authentication functions, but not sure if makes sense
>>>>>>> since
>>>>>>> it should be always domain.com
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Daniel
>>>>>>>
>>>>>>>
>>>>>>> On 1/3/12 3:15 PM, Ali Jawad wrote:
>>>>>>>>
>>>>>>>> Hi
>>>>>>>> After some research it seems to me that the only way to achieve this
>>>>>>>> is to "try" and change how hashing is done in the source code, a
>>>>>>>> little bit too ambitious for me, and it means I will have loads of
>>>>>>>> problems each time an upgrade is released.
>>>>>>>>
>>>>>>>> Or
>>>>>>>>
>>>>>>>> Use pseudovariables to fix the value of the $fd value to something
>>>>>>>> constant, while this worked for values like $var(y) I was not able
>>>>>>>> to
>>>>>>>> assign/strip $fd to remove the subdomain part.
>>>>>>>>
>>>>>>>> Any input please ?
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> On Tue, Jan 3, 2012 at 2:06 PM, Ali Jawad<ali.jawad at splendor.net>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hi
>>>>>>>>> I do have 3 Kamailio servers, one for mobile phone registrations,
>>>>>>>>> one
>>>>>>>>> for softphone registrations and one for SIP device registrations.
>>>>>>>>> Each
>>>>>>>>> of those devices connects to it's perspective kamailio server
>>>>>>>>>
>>>>>>>>> sip1.domain.com
>>>>>>>>> sip2.domain.com
>>>>>>>>> sip3.domain.com
>>>>>>>>>
>>>>>>>>> All 3 Kamailio servers share the same database, and users can use
>>>>>>>>> their kamailio user/pwd on any of the devices, now I want to use
>>>>>>>>> encrypted passwords and remove clear text passwords from the
>>>>>>>>> database.
>>>>>>>>> I did test with one server and all is fine,however if a user want
>>>>>>>>> to
>>>>>>>>> register from the second kamailio server it does not work,
>>>>>>>>> basically
>>>>>>>>> because the db domain entry from which the hash is created is
>>>>>>>>> sip1.domain.com and stored in the db, while the user connects from
>>>>>>>>> to
>>>>>>>>> sip2.domain.com this eventually generates a different hash.
>>>>>>>>>
>>>>>>>>> Is there anyway to overcome this ? Can I exclude Domain from Hash
>>>>>>>>> generation ? Any other option that allows me to do the above ?
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> --
>>>>>>> Daniel-Constantin Mierla -- http://www.asipto.com
>>>>>>> http://linkedin.com/in/miconda -- http://twitter.com/miconda
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Daniel-Constantin Mierla -- http://www.asipto.com
>>>>>> http://linkedin.com/in/miconda -- http://twitter.com/miconda
>>>>
>>>>
>>>>
>>> --
>>> Daniel-Constantin Mierla -- http://www.asipto.com
>>> http://linkedin.com/in/miconda -- http://twitter.com/miconda
>>>
>>
>>
>
> --
> Daniel-Constantin Mierla -- http://www.asipto.com
> http://linkedin.com/in/miconda -- http://twitter.com/miconda
>
--
Ali Jawad
Information Systems Manager
Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554
More information about the sr-users
mailing list