[SR-Users] Sync nonce between various servers

Carsten Bock carsten at ng-voice.com
Mon Nov 19 15:27:24 CET 2012 

Hi Andreas,

short question:
Why don't you use a shared secret to create a nonce value?

http://kamailio.org/docs/modules/devel/modules/auth.html#auth.secret

Something like:
# ----------------- Settings for Auth-DB ---------------
modparam("auth", "secret", "sipwise-is-great")

If you set a common secret on all servers, all servers can validate
the nonce-value (works at least with 1.5 and 3.2).

Carsten

2012/11/19 Andreas Granig <agranig at sipwise.com>:
> Hi David,
>
> On 11/19/2012 02:54 PM, David J wrote:
>> Is the database shared? If so maybe when they authenticate add a secure
>> token to the header that the second proxy can use for auth?
>
> No, the DBs are explicitely NOT shared in this scenario.
>
>> Just a suggestion not sure if its the answer your looking for or perhaps
>> I didn't understand the scenario well enough.
>
> Let me try to put the scenario in different words:
>
> If a request from a subscriber hits a server, and it doesn't contain an
> Authorization header, then the server would just challenge the request.
> This doesn't require any subscriber information on this server, so it
> shouldn't matter whether this subscriber exists on this server or not.
>
> When the request comes in again, this time with an Authorization header,
> the server can use the username and realm of this header to check
> whether the subscriber is local or not. If it's local, it would just try
> to authenticate it as usual, and if it's not, it can look up the correct
> server using this auth username/realm and forward the request to the
> responsible server.
>
> Now this second server would receive a request, which already contains
> an authorization header, but it won't be able to authenticate it if the
> nonce is not in sync between server1 and server2.
>
> So this leads to the question whether it's possible to sync the nonces
> in a way that server1 challenges a request, and a different server would
> be able to authenticate the subsequent request holding the
> challenge-response.
>
> Andreas
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>



-- 
Carsten Bock
CEO (Geschäftsführer)

ng-voice GmbH
Schomburgstr. 80
D-22767 Hamburg / Germany

http://www.ng-voice.com
mailto:carsten at ng-voice.com

Office +49 40 34927219
Fax +49 40 34927220

Sitz der Gesellschaft: Hamburg
Registergericht: Amtsgericht Hamburg, HRB 120189
Geschäftsführer: Carsten Bock
Ust-ID: DE279344284

Hier finden Sie unsere handelsrechtlichen Pflichtangaben:
http://www.ng-voice.com/imprint/

More information about the sr-users mailing list