[SR-Users] Grab users password from WWW-Auth header

Fri Nov 13 15:43:56 CET 2015

What if I don't need a plaintext password on Kamailio? I mean, I don't want
to user pv_www_authenticate or other auth functions again - I need to fully
control AUTH on API. Is it ok to just send 200 OK to client if API tells me
that password is ok?

2015-11-13 16:39 GMT+02:00 Sebastian Damm <damm at sipgate.de>:

> Hello,
>
> it't been a while since I worked with external scripts, but you can exec
> external scripts. See:
> http://www.kamailio.net/docs/modules/4.3.x/modules/exec.html
>
> The documentation says, you can access header fields of the packet via
> environment variables. So you can get the WWW-Authorize header into your
> script, extract the needed fields and send them to the API. The API then
> should be able to calculate the response again according to the Digest
> Authentication rules with the supplied information and the plain password.
>
> Best Regards,
> Sebastian
>
>
>
> On Fri, Nov 13, 2015 at 3:13 PM, Alexandru Covalschi <568691 at gmail.com>
> wrote:
>
>> simple send_reply("200", "OK");, sorry
>>
>> 2015-11-13 16:02 GMT+02:00 Alexandru Covalschi <568691 at gmail.com>:
>>
>>> Thanks for your reply! But the problem is - I need to provide to API
>>> user's login and password. Kamailio doesn't know them. So my idea was to
>>> transmit to API the salt and encrypted password. Would that work? I see it
>>> that way
>>> 1. User sends register request.
>>> 2. Kamailio sends to API salt and ecnr.passwd
>>> 3. API recalculates MD5 on its side and compares with encr.passwd
>>> 4. Sends OK if it's ok, huh
>>> 5. I receive OK from API and send simple 200 OK to user
>>>
>>> Do you see any logical mistakes here? Do I need some speacial 200 OK to
>>> approve registration, or simple send_reply("401", "OK"); is enough?
>>>
>>>
>>> 2015-11-13 15:21 GMT+02:00 Sebastian Damm <damm at sipgate.de>:
>>>
>>>> Hello,
>>>>
>>>> if your script can return the password for the user to Kamailio, you
>>>> could use the pv_*_authenticate functions. You can pass the password to
>>>> check against to these functions in a pseudo variable.
>>>>
>>>>
>>>> http://www.kamailio.net/docs/modules/4.3.x/modules/auth.html#auth.f.pv_www_authenticate
>>>>
>>>> Best Regards,
>>>> Sebastian
>>>>
>>>> On Fri, Nov 13, 2015 at 2:14 PM, Alexandru Covalschi <568691 at gmail.com>
>>>> wrote:
>>>>
>>>>> UPD: If upper method is possible - I assume I can check if message has
>>>>> Auth header using
>>>>>
>>>>> if (has_credentials("myrealm")) {
>>>>>     ...
>>>>> }
>>>>> Can you please specify how to grab it?
>>>>>
>>>>>
>>>>> 2015-11-13 15:08 GMT+02:00 Alexandru Covalschi <568691 at gmail.com>:
>>>>>
>>>>>> Hello!
>>>>>> My problem is I need to do users authentication through API. So I
>>>>>> need to replace
>>>>>>
>>>>>> if (!www_authenticate("$td", "subscriber")) {
>>>>>> 	www_challenge("$td", "1");
>>>>>> }
>>>>>>
>>>>>> With
>>>>>>
>>>>>> if (!my_auth_script()) {
>>>>>> 	www_challenge("$td", "1");
>>>>>> }
>>>>>>
>>>>>> The main problem is - how can I grab or compare users password? I
>>>>>> know nonce, which I understand is MD5 salt. Can I, for example, grab users
>>>>>> password from API, then grab the MD5 string and the nonce user sent me,
>>>>>> calculate MD5 on base of API password and nonce - and then compare MD5
>>>>>> strings sent by user and calculated?
>>>>>>
>>>>>>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>

-- 
Alexandru Covalschi
ABRISS-Solutions
VoIP engineer and system administrator
phone: +37367398493
web: http://abs-telecom.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20151113/908349c5/attachment.html>