[SR-Users] Sync nonce between various servers

Olle E. Johansson oej at edvina.net
Mon Nov 19 15:25:48 CET 2012 

19 nov 2012 kl. 15:06 skrev Andreas Granig <agranig at sipwise.com>:

> Hi David,
> 
> On 11/19/2012 02:54 PM, David J wrote:
>> Is the database shared? If so maybe when they authenticate add a secure
>> token to the header that the second proxy can use for auth?
> 
> No, the DBs are explicitely NOT shared in this scenario.
> 
>> Just a suggestion not sure if its the answer your looking for or perhaps
>> I didn't understand the scenario well enough.
> 
> Let me try to put the scenario in different words:
> 
> If a request from a subscriber hits a server, and it doesn't contain an
> Authorization header, then the server would just challenge the request.
> This doesn't require any subscriber information on this server, so it
> shouldn't matter whether this subscriber exists on this server or not.
> 
> When the request comes in again, this time with an Authorization header,
> the server can use the username and realm of this header to check
> whether the subscriber is local or not. If it's local, it would just try
> to authenticate it as usual, and if it's not, it can look up the correct
> server using this auth username/realm and forward the request to the
> responsible server.
> 
> Now this second server would receive a request, which already contains
> an authorization header, but it won't be able to authenticate it if the
> nonce is not in sync between server1 and server2.
> 
> So this leads to the question whether it's possible to sync the nonces
> in a way that server1 challenges a request, and a different server would
> be able to authenticate the subsequent request holding the
> challenge-response.

If both servers have the same procedure to produce the nonce,
the first server can issue the nonce and the second accept it, verify
that it is a valid nonce in this cluster and do the authentication.

I believe that's why we have the secret in the auth module:
http://kamailio.org/docs/modules/3.3.x/modules/auth.html#auth.secret

If we have two kamailios with the same auth secret, I think one can
issue a challenge and the other one will first verify the nonce, then 
go ahead with authorization based on the other server's nonce.

Before you believe in any word of what I say, wait for confirmation
by one of the core developers :-)

/O

More information about the sr-users mailing list