[SR-Users] Can't get route[AUTH] working as expected.

Fri Mar 23 19:54:51 CET 2018

Hi Aqs,
What seems to be the problem ! do you want this caller to be IP
Authenticated or Digest Authenticated or denied !?

On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas <aqsyounas at gmail.com> wrote:

> Greetings list.
>
> I can see that I was able to bypass the default route[AUTH] if I send an
> invite containing from_uri which is not local but requested line containing
> a local user.
>
> llisten=udp:172.16.40.10:5060
>
> route[AUTH] {
> #!ifdef WITH_AUTH
> #!ifdef WITH_IPAUTH
> if((!is_method("REGISTER")) && allow_source_address()) {
> # source IP allowed
> return;
> }
> #!endif
> if (is_method("REGISTER") || from_uri==myself) {
> # authenticate requests
> if (!auth_check("$fd", "subscriber", "1")) {
> auth_challenge("$fd", "0");
> exit;
> }
> # user authenticated - remove auth header
> if(!is_method("REGISTER|PUBLISH"))
> consume_credentials();
> }
> # if caller is not local subscriber, then check if it calls
> # a local destination, otherwise deny, not an open relay here
> if (from_uri!=myself && uri!=myself) {
> sl_send_reply("403","Not relaying");
> exit;
> }
> #!else
> # authentication not enabled - do not relay at all to foreign networks
> if(uri!=myself) {
> sl_send_reply("403","Not relaying");
> exit;
> }
> #!endif
> return;
> }
>
> Below INVITE get passed above auth route.
>
>
> INVITE sip:60129879190 at 172.16.40.10 SIP/2.0
> Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport
> Max-Forwards: 70
> From: <sip:0128888877 at 139.5.177.99>;tag=as2274e806
> To: <sip:60129879190 at 172.16.40.10>
> Contact: <sip:0128888877 at 139.5.177.91:5060>
> Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b at 139.5.177.91:5060
> CSeq: 102 INVITE
> User-Agent: FPBX-13.0.194.2(13.17.0)
> Date: Fri, 23 Mar 2018 09:33:01 GMT
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
> PUBLISH, MESSAGE
> Supported: replaces, timer
> Content-Type: application/sdp
> Content-Length: 321
>
> v=0
> o=root 237494576 237494576 IN IP4 139.5.177.99
> s=Asterisk PBX 13.17.0
> c=IN IP4 139.5.177.99
> t=0 0
> m=audio 15332 RTP/AVP 0 18 8 101
> a=rtpmap:0 PCMU/8000
> a=rtpmap:18 G729/8000
> a=fmtp:18 annexb=no
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-16
> a=ptime:20
> a=maxptime:150
> a=sendrecv
>
> From INVITE and route[AUTH] I can see why it is being passed.
>
> But should not it by default authenticate every request if IP address is
> not allowed in permission module.
>
> Br, Aqs.
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180323/55381cc4/attachment.html>